As the first quick solution there should be a configuration flag to allow us to restrict Iceberg reads to data files located only inside of the table locations.
e.g. with the following definition
The restricted location should be
Note: this configuration should not be enabled by default as this breaks Iceberg's functionality storing data files in different locations and would only be useful when users use iceberg only as standard external tables with meta+data under table location.