Restrict Ability to add Media to directory

Problem/Motivation

I would like to restrict the ability for users to add Media to a directory. For example, on a current project, only admins should be able to organize the media into directories.

As-is I can disallow users from creating new folders with taxonomy permissions. With ✨ Expose setting to enable drag and drop functionality RTBC I can disable the ability to drag and drop media in the UI, but the "Add Media" form passes active_directory into the form state, which sets a hidden value:

$form['active_directory'] = [
  '#type' => 'hidden',
  '#value' => $this->getDirectory($form_state),
];

This bypasses field permissions on the "directory" field I have configured. So even if the user does not have access to that field, the media is still added to the directory that the user was in when the button was pressed.

Steps to reproduce

1. Add field permissions (via module or custom code) that restrict access to the directory field.
2. Open the browser and select a sub-folder.
3. Press the "Add Media" button. The field is not visible, but the Media entity is still added to the selected folder.

Proposed resolution

Implement permission checks that user has access to the directory field on create/update operations.

Alternatively, instead of using a hidden value on the form, adjust the code to explicitly set the directory field value, if it exists.

Remaining tasks

Decide on an approach and write code to implement.

User interface changes

Add a status message that lets the user know that the media they added could not be added to the folder due to permissions.

API changes

n/a

Data model changes

n/a