I have observed that the all user roles have the ability to export
reports. But I see a major security flaw in this which is that any
user can export the customer lists or SO list etc which can used for
espionage or any other malicious activity in a company.
Therefore, I would request that there should be an option to block the
export option for a particular user or role.
Also in custom reports there should be an option to give rights to
particular user or role, this ways we can control who is able to
access which report or not.