The new feature in NC 25 to limit downloads also for internal shares is meant to force users to use secure view. So documents are watermarked and what not.
Assume a company wide share. People can share files from it to others but they can’t be downloaded. For simplicity
This all works as expected
Now user2 simply does a PUT
curl -u user2:pass 'https://SERVER/ocs/v2.php/apps/files_sharing/api/v1/shares/11' -X PUT -H "OCS-APIREQUEST: true" -H 'Content-Type: application/json' --data-raw '{"permissions":"17","attributes":"[{\"scope\":\"permissions\",\"key\":\"download\",\"enabled\":true}]"}'
And there you go. No more pesky secure view. Just easy downloads for user3.
Secure view for internal shares is useless if also reshare permissions are given.