Depending on the version of CF you are using, the "allow" filtering may not be adequate. It is easy to spoof this by merely changing the extension of a file to appear to be a pdf, doc, xls file. CF10 did add the ability to actually check the mime type of upoaded files to validate them, which does improve the security of uploads.
Regardless, uploading directly to a folder within the web root violates web development best practices, regardless of whether you are using ColdFusion or any other server-side programming technology.
-Carl V.