Oscar Martinez lays out the risks:
Data exfiltration is the act of moving sensitive data outside a trusted environment without authorisation. In the context of Power Query (the data transformation engine behind Excel, Power BI, dataflows, etc.), this means an insider could use a Power Query script to siphon data from secure sources (like databases) out to an external destination. Microsoft defines data exfiltration as the movement of sensitive business data outside a trusted boundary, whether intentionally or unintentionally.^1
Click through to learn more about what is possible, as well as practical tips on how to reduce this risk.