

Sure, in Firefox itself it wasn’t a severe vulnerability. It’s way worse on standalone PDF readers, though:
In applications that embed PDF.js, the impact is potentially even worse. If no mitigations are in place (see below), this essentially gives an attacker an XSS primitive on the domain which includes the PDF viewer. Depending on the application this can lead to data leaks, malicious actions being performed in the name of a victim, or even a full account take-over. On Electron apps that do not properly sandbox JavaScript code, this vulnerability even leads to native code execution (!). We found this to be the case for at least one popular Electron app.
That doesn’t really follow. Specifically, you’re putting way too much credit (infinity times as much credit as you should, in fact) on your ability to know exactly how your universe works. You’re saying there are zero hypothetical worlds in which you are the person you are now and also magic exists. I’m sure you can see how this is not true; for all you know magic is very obvious in your world and you just got mind-controlled, a minute ago, to your current state of mind. Or maybe you just never noticed it and hence grew up thinking you are in a mundane universe, which is very unlikely but not probability-0. Or one of many many other explanations, which are all unlikely (nothing involving a universe with magic in it is going to be likely), but very much not probability-0.