[exporectomy]

You just restated the belief as if the reason is self-evident. What's the reason? Security? Even displaying a JPEG has had security vulnerabilities. You can't really seem to escape that just by not executing code. And no PDFs too, I guess, because they contain code?

[_Algernon_]

Reducing the attack surface is the pragmatic thing to do and it just happens that js alone makes a several orders of magnitude difference on its own. Don't let perfect be the enemy of the good.