I suspect they're concerned about the PDF format, which has been used in the past to deliver malicious payloads.

If there is concern there, use a reader without javascript or an online converter from PDF to another format.

The most famous exploits in Apple's PDF stack (notably not present in Adobe's renderers) came from bugs in freetype (a software font rendering stack also used by a lot of Linux systems), specifically in the VM (seriously: it is an interpreter for a stack machine) used to run the embedded bytecode truetype fonts use to "hint" their fit to the pixel grid.

If you are concerned about harmful files from the Internet, consider using Qubes OS.

Qubes is wonderful. I read HN and surf the web/social in a dvm - disposable vm, so if you are exploited, not only is it contained to the vm, it’s contained to the vm until you close it, at which point all changes are discarded.

(Modulo any Xen exploits that make it through and affect Qubes. no security is perfect.)

> Modulo any Xen exploits that make it through and affect Qubes

By the way, thanks to the clever Qubes design, quite few Xen exploits affect Qubes OS [0]. Especially after 4.0 with VT-d hardware virtualization [1].

[0] https://www.qubes-os.org/security/xsa/

[1] https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/#fully...