The ACL check in ajax_mediaupload() does only check $NS, but the actual file is written to $NS:$id and $id can contain further namespaces so users can actually upload into protected subnamespaces and even overwrite files there if they have the permissions for the parent namespace. I think either the ACL check should check the namespace of $NS:$id or $id mustn't contain further namespaces.
The ACL check in ajax_mediaupload() does only check $NS, but the actual file is written to $NS:$id and $id can contain further namespaces so users can actually upload into protected subnamespaces and even overwrite files there if they have the permissions for the parent namespace. I think either the ACL check should check the namespace of $NS:$id or $id mustn't contain further namespaces.