True - I mean, one could try and block based on file-extension/MIME-types, but... nothing stopping a malicious user from renaming a file to an allowed extension, with some sort of malicious/secret payload. (Or... spreading some sort of malware/virus/exploit via media file formats, I have never looked into the possibility of that until just now, apparently it can be a thing - https://cyberpress.org/cybercriminals-exploiting-media-files...)

So yeah - this is probably one of those half-baked ideas that just wouldn't be a good one to actually implement "in-the-wild".