Of course there is, you can check the upload speed using the banal apache benchmark. But in general, there are many questions and complaints about the very principle of middleware chains, it is much more efficient to route URLs to functions not through chains, but through hash tables. Otherwise, with hundreds of middlewares, everything dies, and this is what happens in large projects. Even if you do not take into account CDN and nginx, and give the static to the node, it is better not from the disk. There are usually few statics, well, let's say 15mb (not counting user content of course), so you won't have 15mb of memory? Moreover, you can already keep a buffer in memory, minified and packed in gzip (if necessary).

So it's still quite obvious and depends on the requirements. If access to the file is restricted, then there must be logic to check the restrictions => one way or another, you will have to configure the controller or middleware for this very check before the file is given. If you need to log file requests, then (suddenly!) you need to connect the logger before uploading files.
In short, there may be a drop of reason in this version, but the cases described above, in my opinion, are rare enough to be able to answer that there is not a drop of reason here. This is not even talking about what you asked not to take into account, although this is always taken into account on real projects.
By the way, user deserialization may not be directly from the database, but, for example, from the session.