Hi, project lead here :)

Hah, that's a good point! I realize of course issues with PDFs (I have a dozen or so CVEs in PDF readers like Adobe Reader, Chrome, etc). This said, at the end of the day, there isn't much of a choice to be honest.

Admittedly this is because of where I wanted to go with this zine - i.e. make it printable, give authors the freedom to do whatever on the page (and not have to deal with manual DTP), and make it in a format that is widely supported and not limiting (and both PDF readers and writers are abundant).

Realistically if we wanted to go with a format that has 0 attack surface, it would have to be a headerless RGB pixel stream - but that's hardly usable. INB4: txt files have a greater attack surface than headerless RGB pixel streams, even if not by much (see various ANSI escape code problems over the last 4 decades).

P.S. Oh, and let's remember that demoscene/etc zines back in the days were EXEs ;)

My PDF renderer is written in JavaScript and runs in a web browser, it is already sandboxed.

Never heard of needing to open a PDF in sandbox mode, but it makes sense cause of potential malicious content so I looked up if Chrome does it by default with it's viewer. It does, as does Firefox and Safari so that covers most browsers.