Aha, that was what I was after, big thanks!
So, after a bit of meddling:
The location I was placing things in was media>my media (from the HA UI).
Assets there are stored in /media, and served in 8123/media/local, but require an autoSig.
Changing permissions doesn't affect the availability, no sig is a 401 error.
However, if the file is copied from /media to /config/www/ , it's then served (as you said) under 8123/local.
Brill, not too painful a process for a few static images (or indeed if I'm feeling brave, I could just symlink the folders).
Maybe one day there will be a way to upload background images for picture elements cards from the UI :)
That was going to be my backup plan, as I didn't want to use any more resource if I could avoid it 😅
The good news is, we figured it out, and got the file serving out of /config/www without an auth requirement.