Cyberduck support has replied that:
“For Google Drive, we do set the content type of the unencrypted file in metadata.”
So, I guess this is a case of Cyberduck not strictly adhering to the Cryptomator specifications…
Having the filetype visible may not be a major security risk, but it is unexpected, given the the info about what data is encrypted provided at: https://cryptomator.org/security/advice/