The security policies introduced in NXP-17933 need to get as much info as possible from the origin of the blob whose download permission is being checked.
For instance, when downloading a PDF conversion, we should propagate the XPath of the original blob.
In addition, the various Restlet-based downloads (preview, contentDiff, etc.) must also be protected by the download service checks.