RBAC is the correct way to limit access to data to authorised users. Perhaps also combined with Masking policies and Row access policies. But this is not the same as having Data Exfiltration controls. It can be entirely legitimate to access data for query and analysis but not export it out of Snowflake or download it locally.
This can be accomplished by disabling external stages and several other account parameters https://www.snowflake.com/en/blog/how-to-configure-a-snowflake-account-to-prevent-data-exfiltration/.
Restricting downloads locally is more tricky as this is entirely controlled by the client i.e. user browser, Power BI Desktop, etc. This aspect of Data Exfil control is therefore client-dependent.
You can now restrict access to the Snowsight UI with Authentication policies https://docs.snowflake.com/en/user-guide/authentication-policies and then you can ask customer support to disable the "Download results" button in the browser. This is an internal setting that only SF can enable/disable (this isn't bulletproof as the user could still enable the setting again locally with javascript - assuming they know what they're doing) but it's at least something.
By combining these two options you can restrict access to the Snowsight UI and disable downloads locally. However, there is currently no setting to disable copy/paste from the results window. You could try to mitigate this with max rows returned https://docs.snowflake.com/en/sql-reference/parameters#rows-per-resultset but this can still be overridden at the session level by the user. Lastly, it's worth mentioning that you can monitor data egress with the following views:
The query history view will show GET requests for data that is downloaded locally from an internal stage e.g. via the Snowsql cli but there is no ability to log downloads from the UI (if you have the button enabled).
And of course, none of these measures would prevent a user from using a camera and OCR library to extract data from the Snowsight UI. So, at best these measures would only help to protect against "inadvertent" Data Exfil and perhaps slow down/restrict the actions of a bad actor.