Good deal. I want to mention that I am not against app authentication (i.e. the JWT) and I feel it is probably required to tie app keys to safe calls for rewards (among other things).
Fantastic info, thanks. May I ask a favor then? Can you make the “/public/” stuff coming out of the demo app in the save drive instead of the demo-app-specific folder? Right now nobody can write an app to access that stuff unless they cheat and lie about who they are (like I did at https://github.com/cretz/go-safeclient/blob/4bb564456103f36eb254e0049b65c5474f3806a1/cmd/root.go#L24 
)
Yes, that can happen if it is set as attachment. I have not looked into it very deeply. Granted if I requested it I probably know the name anyways.
As for file sizes and partial content, you should look into Content-Range and 206 statuses (partial content).
Other stuff understood. Thanks again for the feedback. It is very helpful IMO that we can engage on the tech details here.