This is a fantastic catch and spot on. 
Uploads have a user_id, but that is just the original user that created the upload.
Converting that code to:
Upload.where(id: params.upload_ids).joins(:user_uploads).where(user_uploads: { user_id: guardian.user.id })
will do the trick
Can you send a PR through!