Can't understand what exacly do you want and why.
For example: app, where managers could log in into their company profile and they can upload PDFs. These PDFs shouldn't be available for other companies. This is application level, where you store uploaded/user sensitive information in a database or in any disk storage BUT you serve these files from backend. For example user can access his PDF by url domain/file=6GO86r89GugK
Another example: Users can upload profile photos which is by the fact a private information and protected by the law. Many users don't want to allow anyone and especially Google to see their private photos at least until they are logged in or even friends. This IS AGAIN an application level. Facebook is a first example here. You can set up who is able to see your photos - public, friends, only you, etc.
What actually happens in the back-end when user tries to access a link:
Content-Type: image/png and body contains file data. If it is required to download that link, then another header addedYou are asking for google link, I will give you exactly what do you want. Create a private Google drive document, paste sharable link here and anyone who would visit that link will see a page that the access to that file is restricted, you can request access by clicking on the button which will send an email to doc author. This IS application level.
If your JS contains sensitive information, then there is something very wrong with your JS and you should remove it. Don't overcomplicate things and don't think about restricting access to the assets.
All the data anyway will be returtned from the server. I don't care if hacker has access in console to Manager.deleteAccount(42) because he will get a 403 from the server.
You, of course, may think that you don't want to allow a hacker see your API urls so he couldn't spam them. First, as I said in paragraph above, server will show that hacker where is his place and, second, ok, you hided that info but hacker can register his own account and get that info anyway because it IS PUBLIC asset.
I am not going to talk about HTTP level security, load balancing, proxies, HA, DDoS protection and everything else since it is a different topic.
If you are talking about which CSS, JS should be returned to guests, which to authenticated users, which to admins because of perfomance issues, then, of course, you shouldn't return a 1mb full-bundle.css/js, I usually have small index-hash.js and index-hash.css for first page only, rest of app can be in a single app-hash.css and app-hash.js or it could be divided into modules, like news.css, users.css, etc. Admin assets are always returned from /admin or something since client-side does not needs typical admin panel assets. Return to a client only what he asks in that request, no more, no less.. My avarage css/js per page is about 30kb.
P.S. public assets and images should be returned from CDN.