Alright, getting back on track.
Tested out the Taxonomy Access Control module. It's probably much more useful for sites that want finer grained control, but I had trouble getting it to do what I wanted. I almost got there, but was thwarted by a problem that turned out to be not at all TAC's fault.
Note to Drupal admins: a role must have the "View uploaded files" permission enabled in order to be able to see pictures if you're using the private file storage method..
But as part of my struggles, I gave the TAC-Lite module a try. It's much simpler, and much better suited for my purposes since I set out building this site with an explicit access control flag for the taxonomy. With TAC-Lite, that's the only category I have to worry about configuring. I can mess with other categories as well, and probably will at some point, but for now I'm sittin pretty.