I don't think there are any real security issues that could come out of this - you're giving an LLM a file to query (in any manner) and return those values to a user. The user can necessarily ask for any data from that file and the LLM will happily hand it out, so does it really matter whether it outputs the original Excel file when you could have always asked it to print out the data as a CSV?