In conjunction with a policy (mentioned above), you'd have to have the images located in non public storage (so it's not accessible by going to yoursite.com/images/image-name.jpg), and they'd have to go through a controller. So instead of
And you'd check in the controller whether the person has access to the image (owns it). If so, you'd just output the image from the non-public Storage.
Do you store the image paths in the database? If not, maybe you should consider storing them under a /images/USER_ID/ folder. And check whether the user_id from the path matches the auth()->user()->id
Otherwise, if the images are stored in the DB and there's a relationship between the image & user, add a policy.