Like other antivirus programs, Microsoft Defender will upload suspicious files to Microsoft to determine if they are malicious. However, some consider this a privacy risk and would rather have their files stay on their computer than being uploaded to a third party.
When Microsoft Defender scans your device, by default, it will use the "Automatic sample submission' feature to upload files to Microsoft's servers when a file is suspected to be malicious.
Microsoft's cloud-based protection will analyze the file, and if it is determined to be malicious, cause Microsoft Defender to quarantine the file on the device.
When submitting files, Microsoft Defender will automatically upload executables and scripts but warn the user first to upload a file that may contain personal information, such as a document.
"If Windows Defender Antivirus is turned on, it monitors the security status of your device. It automatically prepares reports to send to Microsoft about suspected malware and other unwanted software. Sometimes, the report includes files that may contain malware."
"Files that aren't likely to contain user data are sent automatically. However, you'll be prompted for permission if Windows Defender Antivirus wants to send a document, spreadsheet, or other type of file that is likely to contain your personal content," Microsoft explains in a Windows 10 privacy webpage.