I'm creating Portal along side of ModelDriven App.
I would like to exchange Attachment file from both side, Model-Driven and Portal.
Portal users, they are authenticated with Microsoft account and Model driven app users should authed by AAD. (as licensed users)
As for the Portal user's Web role, they can read, write, edit, delete permission to A entity, and A entity is Attachment function enabled so then I also added Web role for Attachment (annotation) entity with read, write, edit, delete.
With this, I'm also configured Web role when user create record from portal, by using Contact, they can only see "Their created record" from view.
As a result, I made sure portal users can upload attachment files from portal form but they can not see or refer any files uploaded from Model driven app with licensed users. Perhaps because I'm currently configured portal users can only see "their" record from A entity.