I was experimenting with different ways to share a table with a client. I was quite alarmed when I tried “Download CSV”, and the attachments, many containing private/sensitive data, were uploaded to publicly accessible URLs by default without my consent.
Is no one else as concerned as I am about this default behaviour? To my mind, unless explicitly stated otherwise, export/download should be exclusively to the local device. Uploading to public URLs should be opt-in. As it functions now, Download CSV is actually “Download CSV and Upload Attachments to the Public Web.” This is a security issue, especially since the user is not given the option to turn it off or even warned about it.
Can someone please show me how to wipe/delete these attachments from the web?