File access control

So I've asked questions on a reddit thread, and I've asked some questions on drupal answers. The people who answer are extremely helpful, and if I get some further answers it may change my mind, but at this stage, it seems to me that my best approach for managing access by role to individual files as part of a node with its own independent access controls might be to continue on the track I've been on:

Associate my files content type with the publication content type through an inline entity form which will also let me set whether each file is public or internal only via a status field. I can then just choose to display or not display the entry in the template based on the value of the status field. This could potentially allow access to file downloads to anyone with the direct url, but that is fine, and is not different from the system we are migrating from. Since I am using private files, it will hopefully better because at least google analytics will have a chance to see file downloads even for those direct links. That is something I still have to investigate. I'd love to find a good module for enabling better file download statistics which is something else that I need to get access to over the coming months.