@Gargron As a first-pass, the privacy setting of the post should be sufficient: if the post is public (i.e not unlisted, not followers-only), then it's fair game for QPs. If, for whatever reason, the original author wants to limit access after-the-fact, then changing the privacy setting for the post from public -> unlisted would achieve the desired effect

From an implementation standpoint, QPs could be implemented as a fully-rendered embed of the output from the /embed API endpoint