luceos For a start I think what would help a lot is to delete the stored files when one deletes the media entity from his profile. Otherwise it becomes impossible to trace who uploaded what, people can just upload, get the link and delete the media entity and voila, they have some stored file with a link to it, which cannot be traced to them and is not detectable in any possible way unless someone makes elaborate logic that I explained in my previous post (crawl all stored files, crawl all posts for links and detect those files that are not used in posts.)
As a side question, is there any rate limiting logic in the file uploader? Is upload going through the same rate limiting logic that prevents multiple posts from being created? Because it can become a real nuisance if one just open simultaneously tens/hundreds of authenticated sessions and uses them to upload junk (or malicious stuff like illegal content). It will exhaust the storage (I'm on the AWS free tier which is limited and will have to pay per MB if over the quota) but can also lead to nasty situations where I, as an owner of the domain, might be held accountable for the content in that storage by law enforcement.
