> I went through the post quickly, but didn’t get why Signal would just download an attachment from an unknown number/contact without first prompting the user to accept or deny the conversation request.

I guess you went through the post too quickly, because it goes over how that's exactly how it works. Unless you have push notifications enabled and on default settings to include the content in the push notification.