Not to mention how this does nothing about all the other ways an attacker could could exfiltrate data with default google sheets formulas like IMPORTHTML, IMPORTXML, or even HYPERLINK which will all generate http request.