Here’s an example of some of that: Discourse Video Upload Plugin with YouTube and Vimeo
There is an access_control_post_id field in the uploads model.
My guess is that if you want fine-grained permissions of uploads you’ll save a lot of time using the S3 code that exists–especially if obscure filenames aren’t enough–you’d essentially need to write an entire permissions system for wherever you’re going to put the stuff. Or maybe I just don’t understand.