I see you have defined a custom storage backend based on BotoS3 and removed pre-signed URLs. I suggest you look into AWS_DEFAULT_ACL and put_object.
Your bucket is configured to be private by default, which will be the default ACL Boto3 inherits, unless you provide an alternative configuration (which you can set through environment variables also).
You’ve also recently updated your Pipfile.lock, which consequently updated Boto3 for you, and might have included this PR - [s3] Restore AWS_DEFAULT_ACL handling #934, which in turn brought back AWS_DEFAULT_ACL, that was removed back in 2018.
Looking at permissions set on the objects in your bucket, timestamps of objects with public-read not being set seem to align with this PR and Pipfile.lock update.
Try setting AWS_DEFAULT_ACL env var through your CB Dashboard to public-read and see if that rectifies the issue.