The "export resultsets" function of Quarry looks not protected against CSV Injection, aka Formula Injection.
For example, this query tested on local dev environment:
Will when exported as CSV create a file that contains:
This file, when imported in Google Docs, will load the remote url without warnings.
Malicious code can be hidden in a large request as many are executed.
Since all the Quarry resultsets are public, a data theft using other formulas is not the problem.
According to http://georgemauer.net/2017/10/07/csv-injection.html this can be used to get any other google document that the user has access:
Sheets are not limited to just their own data, in fact they can pull in data from other spreadsheets that the user has access to. All that an attacker has to know is the other sheet’s id. That information isn’t usually considered secret; it appears in the spreadsheet urls, and will often be accidentally emailed, or posted in intra-company documentation, relying on Google’s security to ensure only authorized users access that data.
Finally it seems very likely (not tested) that it is an easy vector to launch arbitrary applications on Windows if the file is opened with Excel as the same blog post says.