In short, both are preferred; Both can return the same thing, but the "context" is different.
Look at your urls:
/users : all users/users/1 : user # 1/users/1/images : all images of user # 1/users/1/images/1 : user # 1 image # 1
All of the above URLs revolve around the user's resource. These are "all users", "user", "user images", etc.
/images : all images/images/1 : image # 1
All of the above URLs revolve around the "image" resource. This is βall imagesβ or βimageβ.
Now, at first glance, this difference may seem relatively insignificant, but when building the API, the difference can significantly affect data consumption.
For example, say you want to get a list of all the images of user # 1, which is preferable?
/users/1/images
or
/images?where=user.id eq 1
The first represents exactly what we want, more limited and more understandable, but this does not mean that we should not also support the second form, since the possibility of a request can be very useful.
Now, how about if you want to get a list of images with your associated user?
/users/???
or
/images?include=user
In this case, the first URL does not make much sense, since we are trying to get a list of images, not users, and the second URL represents exactly what we want,
Now, with regard to security, this should ideally be done in such a way that it is completely transparent to the consumer. The consumer should be able to say "I want all the images." and only get all the images that they have access to. If they try to access a specific resource that they do not have access to, the appropriate HTTP error code must be returned.