You can actually disable copy now, which should stop most of the bad actors. But the principle remains: the whole doc gets loaded into one’s browser, and with some tenacity it’s possible to extract all the data out of that doc. It’s encoded but any half-decend dev would immediately figure out how to decode it.
E.g. I used this simple script a while ago to check on what was taking space in some critical docs of my clients. Now it’s more complicated than that because of doc sharding, but doable just like that.