The tool is not working as hoped. File access control speaks of MIME types that are blocked or not blocked. In fact, only the file extensions are checked. If a user renames an unauthorized file to an allowed file, he can upload and download it. The MIME type of the current file is insignificant, only the file extension is checked.
A company administrator prohibits the upload of exe files using file access control and MIME types. One user copies his remote access application as a txt file to Nextcloud and downloads it in his professional environment.
A user on github has created a patch that has not yet found its way into the public repository.
An attacker could upload malicious files that have been blocked by the administrator.