Hi Anitha,
I have created a simple policy on the customers table and tested it. It is indeed bypassing the XDS somehow. This is unexpected behavior as it should enforce the XDS security (in my opinion) when using the excel add-in or any other way of retrieving the data using data entities. Unless the user is system administrator.
I would still suggest to open a support case for Microsoft Support.