Unless I am mistaken, permission settings in `contents` files are completely ignored for registered bitstream lines (e.g., lines starting with "-r") when using the Simple Archive Format to import items.
This wouldn't be a big deal if this behavior was documented, or if the import tool errored out when permission config and the registration marker ("-r") were detected on the same line.
However, this behavior is not documented, and in fact the [documentation](https://wiki.duraspace.org/display/DSDOC5x/Registering+Bitstreams+via+Simple+Archive+Format) shows usage of bitstream registration WITH permission configuration. The permission settings are quietly ignored, and, by default, the bitstreams have anonymous read access.
If I am correct, existing repositories could be exposing private bitstreams to the world, assuming not every administrator will verify the appropriate policies for every single imported bitstream.
See for example [ItemImport.java](https://github.com/DSpace/DSpace/blob/dspace-5.2/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java#L1395), although this issue also seems to apply to DSpace master.