This is inherently unsafe because a webpage can download a malicious
file without user interaction, and trust it will open automatically in
a vulnerable application.

We will continue to download files automatically, despite the various
Chrome hacks from last year proving that this can be abused via tracker
and GNOME desktop thumbnailers. Tracker now mitigates this risk using
libseccomp, and GNOME desktop thumbnailers are now run under bubblewrap.

https://bugzilla.gnome.org/show_bug.cgi?id=794681