Hello,
As you've already read in the related topic you mention, media files don't have individual ACL. Instead, they get whatever ACL is granted to the namespace they belong to.
Moreover in general I don't understand how to grant access for a single file, e.g. the following does not seem to work as well:
wiki:banner.png @ALL 1
You can't. This gives anyone read access to the page named wiki:banner.png, not to the media banner.png.
---------------------
Since you need to keep your namespace private by default, with only a few exceptions that are public, it seems your best choice is to create a public namespace dedicated to media files. The media can be used from any page, public or private, in any namespace. The media will always be public, since the namespace they are in is public. You also need to make sure writers won't upload media files in the private namespace.
media:* @ALL 1
media:* @writer 16
wiki:* @ALL 0
wiki:* @user 1
wiki:* @writer 4
wiki:public-page @ALL 1
from any page, public or private, you can reference a media. ie
{{media:document.pdf}} will work in any page, for anyone.
I think this setting will technically fit your needs, but I am not sure it will be convenient. Unfortunately, I can't think of something else right now. Also note that there is nothing in this setting that prevents a writer to create pages in the media namespace. All media can be read with the media manager by anyone.
/Schplurtz