Drupal media access control should be the same as the referencing content node access and privacy settings

In the new version, we would like to have this fixed so that folks can add things from the media library (assuming that they can only see files associated with content items that have not be designated as private). Do content permissions sync with file permissions?

There are two additional layers of access after the content:

  1. Passing on the content item (node)’s permissions to the media item.
  2. Preventing access to the actual file if someone does not have access to the media item.

Note that the equivalent to 2 is not a feature of many current sites— if you can guess a path to the file, you can see it. So only addressing 1 here, for now. (Once the media access is controlled, addressing 2 is a matter of enabling and using private files. More here Make Media Library work with private files ? and here, plus an issue about documenting supporting private files for media).

- [Media Private Access](https://www.drupal.org/project/media_private_access) does this with its Media permissions "Inherited from immediate parent" access mode, but is aggressively labeled experimental— still, if it works that may be the most straightforward solution and we can seek co-maintainership of the module.
- The core issue, [Make private file access handling respect the full entity reference chain](https://www.drupal.org/project/drupal/issues/2904842), has no patch to fix it (the old patches are only about adding a warning), but [suggests a workaround](https://www.drupal.org/project/drupal/issues/2904842#comment-13942052) by the module providing the original access control, Permissions by term, to also do access control for the associated media entities.
  
  One one set of sites we have it is certainly worth filing an issue with [Access Policy](https://www.drupal.org/project/access_policy) module that we are already using.  It already [supports multiple entity types](https://www.drupal.org/project/access_policy/issues/3421025) including (it seems?) media.  There may already be a way to configure the module to do this, or the feature may be readily embraced by the amazingly responsive maintainer.
  
  Or, as an issue closed as duplicate put it: Access to files attached via media entities should be ultimately controlled by the published state of related content