Just hides the URL doesn’t disable it

This plug-in disables the generation of the HTML of the media permalink within a page. It does not disable the underlying functionality where, e.g., /wp-content/uploads/2023/07/nonpublic.pdf might become accessible as an automatically generated link in the page at /nonpublic/ (an “attachment post”).

(I’ve already restricted access to wp-content/uploads using mod_rewrite to require a HTTP_REFERER from the same site; this allows me to allow links only when I create them on private pages. Except that there’s no way in the UI to set an attachment post to private, so I want to get rid of them entirely. Perhaps I can do that by mangling image.php in the theme.)

The code itself is very nicely concise and easy to understand and confirm it’s not a security threat, so I’m leaving half stars for that, but at least for me, it’s just a security-through-obscurity solution to the underlying issue of attachment posts for media.