I don't know what people expect - don't run code you don't trust. There is also lots of ways for python to leak data if you execute a malicious python script.
It's not about running code, it's about opening a TXT file with the operating system default handler for TXT files.
So you what you are saying is basically 'do not open any files or websites you don't trust' - which is usually not what people expect as that would basically mean 'don't use your computer'
More specificly im saying, the web is designed around making network requests. If your threat model is not to make network requests, you shouldn't try and sanitize html vis blacklists because you'll be in for a bad tine (responding to the grandparent's list of html leaks not the article. I agree that its unreasonable that the txt file does anything. The mistake is in the apple devs trying to sanitize html which is doomed to failure)
