[idlewan]

FileReader is not related to an image tag loading its image, it's a javascript API: https://developer.mozilla.org/en-US/docs/Web/API/FileReader

So attacker would still need to have some javascript loaded somewhere for it to work. If electron app displays user-generated content, XSS can help run a javascript payload, however.