This is something I’ve also pondered.
There’s no inherent limits on this kind of thing, but you could do Data Explorer queries on uploaded content and analysis on the web server logs (you can have them capture the logged-in username) to watch for abuse if you’re concerned about it.