There is a long-standing patchwork that implements permissions and restrictions for issue attachments #24623. We would like to have this patch accepted upstream. Currently, it requires tests and a "bit" of pushing upstream. We would like to pay for this.
To discuss further, contact me in telegram: https://t.me/pva0xd