GitLab

Fix merge conflict into nyc-release
When opening a downloaded file, enforce that the caller can actually
see the requested download before clearing their identity to read
internal columns.

However, this means that we can no longer return the "my_downloads"
paths: if those Uris were shared beyond the app that requested the
download, access would be denied.  Instead, we need to switch to
using "all_downloads" Uris so that permission grants can be issued
to third-party viewer apps.

Since an app requesting a download doesn't normally have permission
to "all_downloads" paths, we issue narrow grants toward the owner of
each download, both at device boot and when new downloads are
started.

Bug: 30537115, 30945409
Change-Id: If944aada020878a91c363963728d0da9f6fae3ea
(cherry picked from commit 243e6294)