OK, I’m not sure whether it’s the AWS API or the JavaScript SDK, but it seems if you set ACL: 'private', which the API docs list as the default, then it works. Either the SDK knows it’s the default and doesn’t set the header, or the API knows it’s the default so ignores the header when it has that value.
Either way, sorted!