Which gives (except for pdf.js) more PDF readers written in C, some with a long history of CVEs, and typically not sandboxed by default.
Since many people are using a PDF reader to read PDFs from relatively untrusted sources, do yourself a favor and at least use a reader that does not have full system access.
macOS: Preview.app (uses macOS sandboxing)
Linux: Evince Flatpak on Wayland (Flatpak uses sandboxing. Wayland because X11 apps can read all keystrokes, mouse events, do screengrabs.)
Windows: no clue
All platforms: in-browser PDF reader with a browser that sandboxes.
Applications that can send commands to X.org servers can completely control it. The same isn't true for Wayland.
Flatpak is providing the actual application sandboxing, but being allowed to talk to the X server is a huge amount of privilege that can't really be restricted.
Since many people are using a PDF reader to read PDFs from relatively untrusted sources, do yourself a favor and at least use a reader that does not have full system access.
macOS: Preview.app (uses macOS sandboxing)
Linux: Evince Flatpak on Wayland (Flatpak uses sandboxing. Wayland because X11 apps can read all keystrokes, mouse events, do screengrabs.)
Windows: no clue
All platforms: in-browser PDF reader with a browser that sandboxes.