We will need the ability to track who has downloaded files and when on access restricted site, so Google Analytics isn't really a solution. I am considering having a single BrowserView that can access the file and having that view update annotations on the object with download info. This would cause a write on every download which may be a problem for a large public site, but for an area of the site that is restricted to a handful of authenticated users I would think it'd be fine.
The one thing I am worried about is if there is inadvertently left in some other browser endpoint that is capable of accessing the file object. For instance, if there was a BrowserView in some part of Plone core I am not aware of that simply calls self.context.file, I don't think that would even care about view permissions set on the zope.schema. One possibility is to have a new content type that does not call the field "file" just to reduce the chance of this happening. Is there a better way to force it so that there can't be other browser access points, or a better approach altogether?