You can test by sending the specific files into different workflow states and control rights from those states.
within a folder giving different rights to files with same extension is possible but requires you to give file specific rights.
Read only access means that he can open them and not save them back into PDM. He cannot check them in.
So, yes the person will be able to copy them to their desktop. Read only does not mean that they will only be able to see them in the viewer included in PDM. They will be able to download them and do whatever they want with the file once they have it on there computer.
In other words they won't be able to save it to their local view, but they could copy and paste it to another folder on their computer. Or they could open it in an editor and save it to a different location.
Retrieving data ...