Various build steps (or other code run during builds) ought to be checking permissions. For example, you should only be able to trigger a downstream build if "you" would otherwise have permission to schedule that job manually. Similarly for accessing artifacts, running on secure slave nodes, and so on.
Unfortunately in Jenkins currently all builds run in SYSTEM, i.e. effectively having all permissions, and it is up to each build step to do its own checks. Worse, there is no clear authentication to associate with the build. If it was started manually by a particular user, you could use that authentication, but other causes do not lead to a clear user name.
There should be some (probably extensible) system of associating an Authentication with a given Run, either based on its Cause or something else such as the last User to configure the Job.