Only infectables, so EXE, SCR, VBS, JS etc etc. DOC, PDF, XLS etc are not submitted at all for the exact reasons you’ve stated (they may contain sensitive information as they are document files.