Missing validation on file update

The security rules validate file properties (like size or content type) on creation (allow create) but not on modification (allow update). An attacker could bypass initial checks by first uploading a valid file and then using an update operation to replace it with a malicious or oversized one.