You say solid, but I don't see any proof that the client actually send the file. Without something like a strace analysis, you can't really know for sure if the file was even read completely and sent to the Dropbox servers
I really, really doubt that the client actually sends the file. But, imagine if they read only metadata and uploaded that.
I agree with what another commented brought up - it's probably just unfortunately overaggressive 'filesystem-watch' code - IE when you change a file it checks to see if it needs to be synced and re-uploaded. It shouldn't be able to affect other files, though. Makes me wish we had more nuanced security controls, like per-app permissions a la Android/IOS.
