sorry this isn’t an answer but you need to sanitize that user input. Your allowing tags to be written directly into your post content which allows anyone to run javascript in both wp admin and on the front end of your site (assuming you’ll eventually print these posts). highly recommend (at minimum) strip_tags() or htmlspecialchars() on all user input strings. there are better/alternative ways but this is at least a good start without going into too much detail.
In theory the title would be an issue but I’m pretty sure WordPress will strip tags from there. however WordPress allows script tags in post content so that people can use embed codes.
if you are unaware of the risks of not sanitizing user input then id recommend even more caution when handling file uploads. downloading a malicious file or having thousands of your websites users do this could potentially be alot worse than having some malicious javascript run inside your browser. Thankfully wp_insert_post will at least prevent sql injection on your completely raw user input.
my only further recommendation is to at least check the allowed mime types and use WordPress functions whenever possible to handle the uploads, assuming that they might offer some protection against malicious files but apart from that i can’t give much advice on how to do this securely (although i have done it before… i don’t have access to that code right now).