Consider expanding hook_file_download to accept context

I'm not exactly sure how you'd expect this context to be provided, by whom and to whom? you mean that the URl would include ?context=node:17

Indeed, as either a query parameter or named argument of the route.

and then we only check node 17?

For the entity permission checker, yes that would be exactly the case, you only need to look at Node 17 and see if it (or its revisions) grant access, if not the context is invalid and you either neutral response (if you want to allow a chance to lookup more) or fail response (treat as a malformed request for trying to fake context approval).

Shared media on a node may be "entity:media:id+entity:node:id" in that if the user has access to the media item or node either could grant access.
(note: these are more description examples, an exact context format can be determined later)

Some hook implementations (especially for un-managed files) may not care on the additional context, an example could be some modules may check export module may do "is this in ./modulename-exports/, and is the user allowed to access exports" they don't need the context of where the link was displayed.

The concept is a middle ground between "Load every single location access may be granted" and "maintain a mapping table for every file on where it is used" (Avoiding a DoS may require signing the context). The other middle ground sometimes used in other systems is 'generate a time limited per user signature" (image styles uses an unlimited time signature for example)

pass it through to the access checks

I do not believe this would need anything special go past the hook_file_download (in the context of the revision check) as the loading to validate would be something along the lines of "does user have access to entity X at revision Y and is file Z attached to the revision" which entity revision access already cover loading the entity itself.

And only _some_ cases could actually be able to provide that context, link field formatters on an entity, but not something like a list of files.

I believe for core this would be most of the cases would it not? I do agree raw random list of files this is indeed one of the areas this idea would struggle. A views list of all managed files and the IMCE contrib module being mos impact. At that point you have to go to either parse every entity, or have already maintained a mapping table of file usage to avoid a false 'access denied' error.

Slipping this in is certainly not the smallest architecture change for core, and I do believe it needs to be questioned on its design to be sure I"m not missing anything, however if implemented it should it allows majority of access checks to shortcut full table lookup trying to find where a user was informed they may try and load the file.