PDF in the spec contains an insane amount of stuff which could be exploited. But every reader other than the Adobe one leaves out most of the spec.

So I wouldn't be that worried about opening a random PDF in a browser. But I would be maybe worried about opening one in a desktop app written in an unsafe language.