Attachments and AuthAccount capabilities preview release

Only the owner of a resource (i.e. the person who has the actual resource value as opposed to a reference to it) is able to add or remove attachments from it. Anybody who possesses a reference (with the proper type) can access the attachments on a resource however.

Also, is there a way to restrict removal even from the owner of the resource.

This was a feature that was discussed but was not included in the initial release of the attachments feature. If there’s a compelling use case for restricting removal we can consider adding it though.