The mime type isn't built in to the file in any way. One could even say that files don't have mime types. Sure, whoever created the file may have intended it to be of a certain type, but on disk it is still just a strings of ones and zeros.
The place where you encounter mime types in the context of file upload is in the HTTP headers, both when the file is uploaded to you and when the file is then downloaded from you by your users. Note that an attacker could try to send any file with any mime type, correct or incorrect.
Unless your server software doesn't explicitly store the mime type the client provided that information will be gone the second the HTTP request is processed. So when the file is downloaded, your server may very well give it a different mime type (Apache, for instance, derive one from the file extension).
So, what does this mean for you?
During upload, whitelisting on mime types isn't as important as whitelisting on file extensions. The file extension will be preserved on the server, and can affect how the file is treated (e.g. PHP files might be executed). I would still do it though, as an extra layer of security even though the mime type can be easily faked.
During download, you need to make sure that your server only puts "safe" whitelisted mime types in the Content-Type header. For instance, you don't want to serve anything as application/javascript since that would open up for XSS. But again, file extensions is just as important. E.g. don't serve anything with an exe extentions even if you don't allow the application/vnd.microsoft.portable-executable mime type (unless you want people do be able to up- and download executables, off course).
File upload is complicated, and I have tried to focus on issues related to mime type here. Please don't read this as a complete guide - there are many more things to consider, depending on your context.
