If you enable interactive HTML file attachments in a viewport every user that can upload attachments to the source space of the viewport can compromise the security of your viewport and even of your Confluence installation.
The scripts are served from the same origin and thus have the same access level as the user of the viewport.