I just tried the new "Bucket Policy Only" setting in a preexisting test bucket. I want to be able to anonymously download objects by URL, but prevent the public from listing objects in the bucket.
If I add the Storage Object Viewer role to allUsers, then the public can both list the bucket and download objects. If I don't add that role, the public can't download files.
What's the trick? I have this working fine with the old ACL system.
