Perhaps we should consider that the recent webp vulnerabilities are as much webp’s fault as they are the browser’s, if not more, when was the last time you heard of a png or jpg arbitrarily executing code? Why is that even a thing that a bitmap format can do?