kailash745 it is a matter of permission.
We have two permissions for this matter. In English they are called
"Allow all kind of files, instead of only images and safe types"
"Media potential trusted"
The first is the vm filter, which just checks for filetypes. This is necessary, when you want to sell zips containing php. The second is the joomla filter. Both rights should be set to allowed for Superadministrators. But of course they should be set to "not allowed" for non admins.
So I dont see a security issue here. When a shop allows users to upload media in vm, it is a multivendorshop and the rights should be set correctly, of course. When the shop allows to upload media for a product, then these are 3rd party products. They may use our upload, when they do it, as long the rights are set correctly, anything should be safe.
When you install a fresh store, the rigts are set correctly, so I dont see a problem here.