Thanks for the reply, Fabrice. The only problem is that what you describe matches neither my experience nor the documentation. The intended behavior is described in the manual both here and here.
My experience has always matched what’s described in the docs - i.e. that any user who can “see” the thing to which the file is attached can also access the file itself, as long as the View attached files permission has been granted in the privacy rules.
Mine don’t. That’s what’s odd. @akoziol and I actually exchanged a few private messages, and I noticed that our private file URLs are distinctly different. His were as you describe - that is, an S3 URL with several privacy related query string parameters - whereas mine aren’t. Mine are a Bubble URL; and so the file, which is hosted on S3, is behind a Bubble endpoint that controls access to it.
I don’t know if this issue is related to regional differences in AWS services across the globe, country-specific privacy regulations, or a Bubble bug or what; but @akoziol said he’d contact Bubble support and report back. I’m eager to learn what the issue is. Meanwhile, things seem to work for me as documented.