Download permissions for renditions are very limited because the document is missing from the context. Unlike the PreviewAdapter, the RenditionAdapter doesn't explicitly verify file download permissions and only passes the renditionName to the download servlet so part of context is lost.
One could argue that a rendition configuration contains an action filter in the first place but:
- xml configuration and EL expressions are not as versatile as a JS script
- configuration must potentially be duplicated, one for stored blobs and one for renditons.