Currently, there are three options:
1. The default is the site database. Uploaded files are always stored in the database prior to approval. Storing files in the database is very secure, as no matter what they contain, they cannot be executed. (Obviously you still need to take care not to host files that could be harmful to your users). The repository can be migrated simply by transferring the database.
2. The file system. Although database is recommended for most uses, you may want to store the file repository in the file system. You can set a default location and also set individual locations for each container. Ideally, you should locate the files outside the web server document root for security. Remository will insert an ID number into the file name if you wish, so as to allow multiple files with the same name. This is not visible to users.
3. Another alternative is Amazon's S3 storage service. That allows for unlimited storage (subject to cost) and high speed delivery of files. The files cannot present any risk to your web site.
You can find more information on file storage in the Remository documentation