WTF ... Mozilla had always running JavaScript inside PDFs disabled by default.
But now with FF 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?
To disable this:
about:config
pdfjs.enableScripting --> false
# FF 78.10 ESR doesn't include this option and still blocks JS in PDFs by default. Just tested.