What can be put in the Allowed file types field, mime types, file extensions?
You need to enter a list of file extensions.
I suggest updating the documentation with this information.
I’m not sure just checking file extensions is that useful security wise, you should really check mime types.
ACF doesn’t handle the actual upload. It calls wp_handle_upload() to manage the details.