I'm more worried about AV software. Code that also needs to be able to parse a large number of file formats, opens every file that enters your computer through one of many pathways, and generally runs at a high privilege level. A huge attack surface that's easy to reach and with far reaching consequences if it can be exploited. Add to this that it's in wide use, often even mandated by corporate IT and its recipe for disaster.
> I'm more worried about AV software
Media codecs pretty much, single-handedly even, drove about a new era of defenses and mitigations in Android: https://blog.isosceles.com/the-legacy-of-stagefright / https://archive.vn/x3d0Y
In theory the parsing could run at a low privilege level subprocess. Root/admin is only needed to get the bytes.