Hi Kent - My mistake, I misinterpreted your question at the first go! With the current setup, you actually are not able to attach a manually uploaded file to a thing and make the file conform to privacy rules.
When you upload a file using the new Upload button on the File Manager page, you generate a public URL. This URL will always remain public if someone has access to it in its entirety, and you can get access to it by clicking on the file name in File Manager.
Through a workflow, you could add the manually uploaded file’s URL to a file data type field on a thing with privacy rules. To be clear, this action does not actually attach the file to the thing, nor does it change the original file URL to become private. Instead this action adds the public URL as a string and the thing is now associated with that string. If you have privacy rules on that thing, they apply to that URL string – only X users can view the file data type field (and therefore the associated file URL string). However, anyone who has access to the file URL string can still view the file since for manually uploaded files, this always remains a public URL.
The current way to attach a file to a thing and enforce privacy rules is done through runmode on the native File Uploader element. This can only be set the first time around for a file.
Let me know if that clears things up!