Via the mobile app it is possible to bypass the file type restriction checks, this means that the checks are not done properly when using Web Services.
I was reviewing how was implemented the "file restrictions" for assignment because the file restriction check should've done in the server.
Basically, the problem is that via Web Services the restrictions checks are not done. The reason is that in Moodle web the restrictions checks are done by the file picker at client level only but in Web Services the file picker client restriction does not apply because is not used (files are directly uploaded to a draft file area).
In any case, all the files created in that draft area via WS are processed via file_postupdate_standard_filemanager that internally calls file_save_draft_area_files (where all the maxbytes and maxfiles restrictions are double checked).
I suppose that the way to fix this problem is to check the accepted_types option not only in file picker (client) but also in this function (file_save_draft_area_files) in the same way that maxfiles/maxsize is double checked.