Definitely, but sandboxes can be escaped, and you can’t protect everything via sandbox. Apparently its all cloud anyway, but if it were local and sandboxed, there are still exploits like rowhammer and spectre that may cause further risks.

Its taken years to get browser sandboxes to where they are, and even they get broken every so often.

Still sounds like you’d be shipping your data to the cloud, where it can be exfilled from there.

Would potentially be a great phishing tool, just need to trick someone into putting sensitive data into a precooked excel file, and it gets exfilled.

Could result in some very cursed codebases.

“We dont use git, we just update the excel spreadsheet”

Integrated python scripts in excel sounds like a malware developers dream.