Really? The shell extension could just ask the dropbox daemon if something is known about file x/y/z, and the daemon would answer "no" if the file is outside its folder. No need to look into the file for that. Or did I miss something?

If you look at the analysis posted elsewhere, Dropbox only queries the long-name of the file since apparently Explorer can still send it a short-name version of the file (e.g. "C:\PROGRA~2" instead of "C:\Program Files").