Throughout the history of SharePoint, us admins have dealt with non-stop permission issues. Microsoft has tried to alleviate some of our pain by introducing features such as the hub site and site collection architecture (vs sub sites and messy site permissions) and allowing end-users to share files and sites with other users through easy-to-use buttons. Although, the latter can cause more pain than good to site admins. Let me explain.
By default, SharePoint Online will set the default copy and sharing links on all site collections as Edit. Therefore, if you share a link with someone using these buttons, they will automatically have edit rights to that item (despite the fact that you may have any set up Read access to the library). The permission inheritance for that item will break and you will end up with unique permissions the first time you click the Copy link or Share button. Even if you have Edit access already on the library, you will continue to have unique permissions for that item.
Obviously, for SharePoint admins, item-level permissions is a disaster waiting to happen. However, we can change the global sharing settings in the SharePoint Online admin center. Go to your SharePoint admin center: https://<tenant>-admin.sharepoint.com/.
On the side navigation, go to Policies > Sharing.
By default, your sharing settings for File and folder links will be Only people in your organization and Edit. These settings mean that when a user copies a link or shares an item, the default setting for that item will be to give the user Edit rights, and anyone who gets the sharing link within the organization can edit the item.
Change the settings to Specific people (only the people the user specifies) and View. The first setting will honor the permissions already set in place for that item, and the second setting is a fail-safe. If a user does want another user to edit an item they can change the setting when sharing, however, the default allows the user to just view the item.
Now when a user clicks Share or Copy link, they will be presented with People with existing access can use the link. Hooray! No unique permissions!
Of course, you can change the rules for some site collections if you don’t want these sites to adhere to the global settings. This is done by using PowerShell and the following command:
Set-SPOSite -Identity https://<tenant>.sharepoint.com/sites/site -DefaultLinkPermission Edit -DefaultSharingLinkType Internal