How to build private access images correctly?

I have a few questions about using Shrine with tenancy-based access to images.

Currently, my site is set up with publicly accessed images, all via CloudFront.

  1. I’m using Rails with Devise, is download_endpoint the best way to make these images private via Devise authentication?
  2. Will this plugin also make all derivates private also?
  3. Should I remove “public: true” from “store_s3_options” when using the download_endpoint plugin?
  4. What is the best practice for setting “max-age=XXX”? Should it be less than a week, or a month?
  5. Can the download_endpoint host be set using environment variables, as I’m using different Cloudfront buckets for development and production?

Separate (but possibly associated) question - is it possible to set up a download_url for an image? So when a user clicks the link, they can not directly access the image and it forces a download?