Maybe I’m not understanding this correctly. I’ll take a shot anyway.
If the company were to store this XML file you speak of onto the SAFE network, It would make sense that they would store it privately. Nobody other than the one who uploaded it would know that it exists on the network. The uploaders’ credentials would be necessary to retrieve the file and decrypt it. If the company stored a sensitive file as public data on the network, the last thing they should be worried about is correlation. Mistakes like this could be averted by a confirmation prompt for all uploads destined to enter public domain.
Brute forcing other peoples private data stored on your vault is the only way you’ll get a tiny glimpse of what is stored on the network as a whole. Having data broken into many pieces makes this especially difficult as you would first need to gather all of the related chunks.
Files smaller than 1MB are bundled with the users’ datamap of all of his/her files. Those I guess would be the easiest to brute force if at all possible with current and near future processing power. Once that’s achieved, from there is should be fairly strait forward to gather the chunks specified in the datamap and use the brute forced key to decrypt them. All of this is very difficult and likely impractical. Hope I helped to clarify. 
Welcome to the forum! 