The code added in https://www.drupal.org/SA-CORE-2017-003 required writing to the session every time an anonymous user uploads a private file. This can have performance implications since the session cookie means those users won't see cached pages after the upload.
We mitigated this in both Drupal 7 and 8, but in Drupal 8 the mitigation was limited to avoiding the session write in the case of an upload to public://. It was pointed out that there could be other fully public stream wrappers where the same thing should be done.
@larowlan came up with a good suggestion for how to do that: Basically add a constant to https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21StreamWra... similar to the ones that are already there (e.g. LOCAL or HIDDEN) but the new one should be used to flag whether the stream wrapper is public or private. The https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21StreamWra... method, which returns a bitwise flag, could then indicate whether the stream wrapper is public or private, and the code in the File module which writes to the session could check that.
I suggested that the flag should probably be PUBLIC (rather than PRIVATE) to make the more "dangerous" one opt-in, similar to how the other flags work.
In Drupal 7, we already had a 'file_public_schema' variable (which sites can override to specify additional public stream wrappers besides public://) so we just used that in the security release. That was originally added as a quick fix for a regression, but using a constant (as proposed in this issue) would probably make more sense for Drupal 7 too. Therefore, I'm marking this issue for possible backport to Drupal 7. We'd need to deprecate the variable but still allow it to be used, I guess.