Airtable is what I would consider a low-security platform.
If you make someone a collaborator (even a read-only collaborator), it is not possible to disable the CSV exporting capability. It is one of the 7 major security flaws in Airtable, which I outline throughout this thread.
Once someone is a collaborator of your database, they always have full access to all of your data in multiple different ways, including making an entire copy of your entire base for their own private usage. Collaborators (including read-only collaborators) can even invite additional collaborators to access your database, even if you didn’t approve those additional people! And attachments are always publicly visible at their URLs, even after the attachments are deleted from your database.
So, collaborators should only be people whom you fully trust 100%, because you really have zero security in Airtable when it comes to collaborators.
The only way to prevent someone from being able to export a CSV file of your database (or exploit your data in other ways) is to remove their access as a collaborator altogether. Then, you could give them a “read-only share link” to one of your views. For most people, though, that solution really isn’t that helpful because: (1) it prevents them from editing any of your data, (2) they can’t comment on any of your records, and (3) they don’t have access to any other tables or views unless you generate more share links for them.
You can workaround many of these security issues by using Stacker to access your Airtable database, instead of using the Airtable interface itself. Stacker adds in almost all of the missing security features from Airtable, and Stacker adds in tons of excellent new features as well — such as people only being allowed to view the records that you want them to see.
