All plugins files get a session lock, then find the right callback, do the ACL checks, then either explicitly unlock the session and serve the file, or serve the file which does that for you.

But almost no plugin files actually mutate the session intentionally. I don't think it is safe to assume they won't but for those which we know to be safe I think we can throw on an optional query param which avoids the lock in the first place:

/pluginfile.php/123/course/overviewfiles/12345.jpg?lock=0

Scorm would be a good candidate for this.