Indeed. But NC already has OCC already has file scanning functionality for other purposes. So one could leave it up to root/admin/sysop when these things are run. And it looks like this is more or less the approach “Preview Generator” has taken.
So, the question still stands about the endpoint(s) 