My argument lately has been: Should we be allowing code to run inside of our documents? Am I okay with PDFs, jpegs, mp4s etc. running arbitrary code when I open them?
imo the extension is how we communicate the purpose of the contents: if it's a .js or .exe file, expect execution, and take appropriate precautions
while media _shouldn't_ run arbitrary code, there's also nothing stopping a malicious actor from crafting something that breaks through a buffer overflow in the .mp4 codec for example
the safest bet would probably be "assume anything can run arbitrary code, even if it's not supposed to"
