This guide still has some issues. It's missing common classes of web app vulns I've seen in Go code (e.g. CSRF, SSRF) and has some weird advice here and there (scan uploaded files with AV? Really?)
If you allow binary uploads, you're going to be a malware distributor whether you scan or not. AV just introduces complexity and attack surface and doesn't really belong in a guide about Golang secure coding practices.