Regarding data classification, the data concerned doesn't have to meet a very high level of protection - it is private data, not of national interest, but I feel that it should have some level of protection. Maybe I'm being paranoid about GDPR, preferring to err on the side of caution and I understand your point that Affinity Publisher would now need to handle the password which would put a potential legal burdon upon Affinity. I guess the only way around that would be that Apub should handle data sources like Excel in the way that many other applications do – require that the data source be already open before Apub needs to aquire the data so that the password has been dealt with in the original application (Excel in this instance).
I have to say that I have learned a lot in having this discussion and that it will likely change the way I handle things. Thanks for your input, dkenner.