Documents and Media permissions will check whether the user has permission to do certain action on a file entry using this class com.liferay.sharing.document.library.internal.security.permission.resource.SharingEntryDLFileEntryModelResourcePermissionRegistrar
As you can see in that class it will first check if the user has permission using the traditional document library roles permissioning system and if he dosn't have it, it will check if the document has been shared with the user with certain permissions.
The traditional document library roles permission system is defined in com.liferay.document.library.internal.security.permission.resource.DLFileEntryModelResourcePermissionRegistrar and is checking based on staging and workflow for example.
If staging is enabled or if the workflow is in process, the user should not have permission to do certain actions in live, even if the document has been shared with the user.
We need to check where we perform the permission check. We should probably do it after staging/workflow and before DL permissions.