Currently, users are able to create, read, write, delete entities.
I am suggesting that PowerApps distinguish between reading data in the app and reading data in Excel (downloading the entity and opening it in Excel). As it is right now, users that you allow to Read can do both. I think that is a major security concern.
I filter all data that comes through all of my apps. I presume that everyone does as well--it is hard to imagine working with entire data sets all at once. I want my users to be able to filter all that data in app so I have to enable Read, but it's filtered on purpose: I don't want them seeing everything else. If PowerApps eventually allows the making of public apps, you also would not want your data freely downloaded and viewed.
That is why I am suggesting:
separate the "Read" permission into Read in PowerApps and Read in Excel or
provide a way to enable/disable downloading of an entity as a permission