Back in August I asked that question in a thread now closed.
I think it is worth reviewing because of these answers it produced at the time :
from laurent : PDF is NOT a product by the Joplin team (so that is a concern)
from roman_r_m : it is disabled by default (may be less a concern ?)
I re-searched the matter a bit further, and I am still convinced that any PDF (viewer) can be a problem to data security. AND, in my desktop version (2.13.2) just downloaded and installed I found that the PDF viewer was ON by default.
The security concerned Joplin user will turn this option OFF and leave it off.