-> They were concerned about the increased attack surface resulting from including the current 100K+ lines C++ libjxl reference decoder, even though most of those lines are testing code.

Seems like Google has created a memory-safe decoder for it in Rust or something.