For access control, use ACLs to hide the assets from authors. given the assets are only required to be accessed programmatically (TBH, without the detailed use-case its hard to validate if this is a good approach) you should anyway use a service user. Have you done any performance test for Assets AP...