Part of the validation of your system should include this. Does the system properly manage such attachments? Is there a possibility that the attachment can be deleted or corrupted or changed (without proper tracking)? All those questions should be answered. You ask about risk so you could do a small risk assessment, identify the controls to mitigate the risks, and demonstrate in the validation that the controls are effective.