Hi, you can disable or customize the OOB ACL's to remove existing access and create your own to replace them, but you will need some sort of defined relationship between the user and the record; IE if you want to filter by 'classification' then the classification would need a (direct or indirect) relationship to the user record. This might be as simple as building a relationship between assignment group and classification.
Once you have your relationship defined then you would use table level ACL's to evaluate the logged on users relationship to the current record. Note there is an increased platform overhead using scripts to evaluate ALC's and where possible I would recommend using table level ACL's only for this, keeping any table.* or table.field ACL's as generic\role based as possible - if you cannot see the record then you cannot see the data in the record regardless of any underpinning field or wild card ACL's.

For sys_attachment you would script a lookup\check of the underpinning task\record via the table name and table sys_id fields, and then evaluate the users relationship to the related task in the same way you would evaluate it directly from the task.