Generally we see that people are not limiting the file types they want to scan, you can of course do that. I have once configured a policy for a customr, where they only wanted application/executable, PDFs, images. That was it - not more.
For file sizes, we see that there is a slight tendency that orgs are only scanning up to a certain limit, whereas the limit varies between 10MB and 100MB.
I think a conclusive answer can't be given, as this is subject to your org's determination of the potential security risk.