but it does when accessing content on the specific site
How could that work without OpenWebAuth or something linke an login?@Hans you are all right now
Zap has OCAP support so private photos are visible over ActivityPub. and private groups. You're welcome to steal the code. It's not much different than creating a guest access token - and you could also just do that.
and get an URL of this image which can be opened in any Browser independently of the AP contact - so it is like an public image now. Actually it is a URL of a copy of the image on the AP Server.
So the access control setting of a file does manage the right if a contact looks by OpenWebAuth at the filefolders - is does not manage the right to see the file when it is shared in a post.