elementary: it is enough to make sure that the downloaded files are not executed as code.

Are only files with a .php extension dangerous?

The number of ways to execute a specially prepared file is not just large, but increasing. Some holes are patched, others appear in return.
For example, I remember the times when it was enough to set the attribute rw------- to a file, and then suddenly, after the next update of the host software, these files became both visible and executable.
We cannot know in advance how the server software will change.
But we can more or less confidently assume that the archives will remain archives, without extracting from which it will remain impossible to execute the file.
Therefore, if the site is not too heavily loaded, archive the downloaded file, and give its contents only through the unzip script. And may you not be poor.

This is because you don’t know how to google
. Firstly, you can set a site where to look for
site: qna.habr.com secure file upload - and hob, it turns out that you are not the only such prodigy who came up with a unique question, and here herds run around with one and the same question.
secondly, you can set the date of the article. do you like the last decade? Set current

Prohibition of direct access to downloaded files (with the folder specified) when accessing them through the browser.
If it is necessary to directly request downloaded files from the browser, an intermediate "sump" folder is created: validation of the "body" of the file by the script for compliance with the expected format and moving to the direct access folder if the file has passed the test.