The stated goal of the Discover permission is to allow anonymous users with Overall/Read access to learn about the existence of items, so that attempts to access them don't result in a straightforward 404 page, but instead tells them to instead please log in.

Since it's a regular permission, it often gets handled badly, for example when moving or renaming items. Additionally, it's granted to actual users, for whatever reason ("too bad you're you, otherwise you could see something here!").

Instead, the regular 404 page should be improved to include a login form (if the user is anon and there's a security realm). This way, there's no way to distinguish discoverable from undiscoverable resources, and the advantage of the Discover permission is obsoleted.

Unless I'm missing something, this should be relatively straightforward with a request filter that applies on 404 and shows a new view related to the security realm