It appears (from stepping through the code) that when a public file system is the default, image.admin.inc/theme_image_style_preview generates the derivative and the links to it are simply file links.
When the file system is changed to private, the URL generated dispatches to image.module/image_style_deliver. The first problem is that (assuming $conf['image_allow_insecure_derivatives'] is not TRUE) the IMAGE_DERIVATIVE_TOKEN is checked. But theme_image_style_preview does not generate these tokens, either for the img tag or the a tag. So neither the image or the link work because image_style_deliver returns MENU_ACCESS_DENIED.
<?php
$valid = !empty($style) && file_stream_wrapper_valid_scheme($scheme);
if (!variable_get('image_allow_insecure_derivatives', FALSE) || strpos(ltrim($target, '\/'), 'styles/') === 0) {
$valid = $valid && isset($_GET[IMAGE_DERIVATIVE_TOKEN]) && $_GET[IMAGE_DERIVATIVE_TOKEN] === image_style_path_token($style['name'], $scheme . '://'. $target);
}
if (!$valid) {
return MENU_ACCESS_DENIED;
}
?>But even bypassing this check, the style previews don't display. If the $scheme is private, then file_download is called. This file does not exist in the entity base table file_managed table, so the download fails. This may or may not be the same thing as #1414990: Orphaned private files can not be accessed -- not sure.
<?php
if ($scheme == 'private') {
if (file_exists($derivative_uri)) {
file_download($scheme, file_uri_target($derivative_uri));
}
?>I'm not sure if this exists in D8 as well.