I received a excellent reply from Cloudinary support. It’s taking me a bit of time to decipher 
-----8<--------
Thanks for contacting us, and for letting me know what you’ve tried and where you’ve looked for an answer already (that’s unusual, and appreciated!)
At a high level, there are two things it’s important to be aware of regarding how Strict Transformations works, which are that 1) Strict transformations affects what methods can create a new derived image in your account without some additional authentication being provided, and
2) Strict transformations doesn’t directly affect how an existing derived image can be accessed, nor how the original file can be accessed
A related concept to mention again is ‘derived asset’ - a common use-case for Cloudinary is that you upload original assets to us, then on your website or application you use a URL that tell us to return that asset, with some transformations applied in the URL, and the version with the transformations applied is called a ‘derived’ asset.
If I understand you correctly, you’d like to create a watermarked copy of an image, allow users to see that watermarked copy, but it shouldn’t be possible for them to see the original asset without authentication, or to change the watermark / add other options. Additionally, you’d prefer to hide what the transformation options used were.
In that case, here’s what I recommend
• Upload the original assets with type ‘private’, so that the original can’t be accessed without a signature, but existing derived assets can be accessed publicly: Media Access Control and Authentication | Cloudinary
• Enable Strict Transformations on your account: Media Access Control and Authentication | Cloudinary
• Create a named transformation in your account which applies the watermark, and also resizes the image to the size you need it for your application (I also recommend adding ‘q_auto: good’ as the quality setting to reduce file size further): Chained and Named Image Transformations | Cloudinary
• In your upload call, or upload preset, request that the watermarked copy is created via an eager transformation
• Alternatively, use the explicit() API method to create a derived version using that named transformation, if the files have already been uploaded
• Alternatively, if all the images will have the same watermark, ‘allow’ the named transformation in your account settings, which will allow new derived images to be created “on the fly” if they use those transformation options
• Use the URL of the watermarked copy in your application or website
With that strategy, users will see the name of the named transformation in the URL, but not the options inside that named transformation, and they won’t be able to access the original file by removing the transformations, or change the transformation options to remove the watermark
May I ask you to please take a look and see if that helps?
Regards,
Stephen
Developer Support Engineer
Customer Success team
Cloudinary UK
