Xray incorrectly flags Media Library views as publicly accessible due to base permission check

Problem/Motivation

The Media Library views provided by Drupal core are based on the "View media" permission, which can be granted to various roles. However, access to the displays within the views is restricted via additional runtime logic that Xray does not detect. As a result, Xray reports these views as publicly accessible when they are not, leading to false positives in security audits.

Steps to reproduce

1. Install and enable the Media Library module (part of Drupal core).
2. Ensure that the "View media" permission is granted to the anonymous user.
3. Enable and run the Xray module.
4. Observe that Xray reports the Media Library views as visible to anonymous users.
5. Try to visit the Media Library route as an anonymous user: it will not be accessible due to extra access logic.

Proposed resolution

• Enhance Xray's detection logic to account for runtime access checks beyond the base permission declared in the view.
• If full detection is not feasible, allow for configurable or pluggable exceptions for specific views or routes that implement custom access logic.
• Optionally, detect common patterns (e.g., custom access callbacks, `hook_view_access_alter`, or access plugins) that override default view accessibility.

Remaining tasks

• Confirm whether the current Media Library access logic can be reliably detected.
• Evaluate the feasibility of a generic approach for identifying custom access control in views.
• Implement the proposed enhancement or provide a mechanism to declare view-specific exceptions.
• Add tests to validate that views with runtime access control are not falsely flagged.

User interface changes

None expected, unless an exception list or UI feedback is added to the Xray module.

API changes

Possibly extend Xray’s internal APIs to support access override detection or exception registration.

Data model changes

None.