The problem comes when malicious actors start crafting documents with extra features that should not be parsed, but many software will wrongly parse them because they use the default, full featured parser. Or various combinations of this.

It's a pretty well understood problem and best practices exist, not everyone implements them.