File downloads from data access capabilities (services) that require auth-z should always generate auth-z tokens, regardless of the permissions for the containing dataset. For example, TDS based files, for datasets that are "free" or "guest" access should generate tokens, since the publishing application currently assumes all TDS based files are "restrictAccess".