The thread established that it is, indeed, possible.
But it seems a bit risky - allowing to upload any arbitrary file which just happens to have the "json" file type.
Some sort of "signature" would seem beneficial - to give at least some reassurance that what was uploaded was actually intended as a Node-RED Flows file.
So the question is: how to do that? Are there any existing examples?
I'm thinking specifically in the case of a Node-RED Dashboard app.