PDFs can run almost anything and have an attack surface the size of Greece's coast.
That's not very different than web browsers, but usually security concerned people just disable scripting functionality and such in their viewer (browser, pdf reader, rtf viewer, etc) instead of focusing on the file extension it comes in.
I think pdf.js even defaults to not running scripts in PDFs by default (would need to double check), if you want to view it in the browser's sandbox. Of course there's still always text rendering based security attacks and such but, again, there's nothing unique to that vs a webpage in a browser.
I think it's a lesson that we all consistently fail to apply to ourselves. It is so pervasive on social media - HN included - yet it's something we only attribute to others. Our hot takes on quantum physics, molecular biology, and economics are always reasonable and rooted in keen insights.
It happens for a reason. There's something deeply satisfying about being a contrarian: the implication that you're smarter than the masses. It's usually hard to be a contrarian in your primary field of expertise. It's a lot easier to be a contrarian in someone else's.
E.g. I've probably talked about various aspects and extensions to the ISIS routing protocol with in-field experts for more hours than I could think to add together... but the bulk of my practical understanding really comes from the (comparatively) small amount of time I spent building custom implementations, debugging other implementations, and deploying ISIS in various locations. I probably couldn't have done the latter nearly as well without the former, but the latter is where I went from suggesting protocol changes that sounded reasonable to making critiques that were actually actionable
Similarly, I know I know BGP more than your average person, enough to sound like the protocol experts, but I lack most all of the practical working and experimentation knowledge. If you asked me what I think should be changed about BGP I'd probably rattle off a decent list, and it'd probably sound pretty convincing, yet I doubt I would even agree with half of it if I had the other half of the mental model built (or I told it to someone who specialized in BGP). That kind of step doesn't (and usually can't) come from working deeply in a different area (even if similar) and "talking the talk" about the other area.
That said, what makes social media addicting, especially in areas where specialists like to coalesce (HN is one such place, IMO) is you can get a TON of that kind of conversation, data, and readings about anything. Then it makes you overconfident because you got that style of interaction without even doing anything remotely related to that area.
All of this reminds me I've spent far too much time on HN... and I'm entering 12 days of PTO. Time to set noprocast to something ridiculous :).