File Permissions Clarification

I’m using the JS Files API to upload files, and the Permissions API, in an attempt to secure each file so that only the user who uploaded it, and users with a particular user-defined Role can read or delete the file. How can a user with nothing but AuthenticatedUser role save a file, then lock it down so no one else can read or delete that file? I am having to grant the Permissions permission on the directory in order for the person uploading to deny access to all other users. But if the Permissions permission is granted on the directory, any AuthenticatedUser can set the permissions for any file in the directory and give themselves any access they want.

Any enlightenment welcome! Thank you,


Ignore this question, please - it is resolved, but I’m not allowed to delete it.