Safely Opening Untrusted .blend files

What are the safety concerns in opening an untrusted .blend file?

We support an addon that’s used by a number of people, and they will sometimes send us their .blend files.

If we reset Blender to factory defaults, is it generally safe to open such untrusted files?

If not, are there any settings (or other mechanisms) we can use to open their files?

Our addon also stashes a pickle of all of our data inside a Blender StringProperty. What’s the safest way to get to such a string?

Sorry if this is a duplicate question. I did a search and some manual browsing and didn’t find anything.

The main concern that I know of it allowing python script execution at runtime. You can put malicious code in text files and/or drivers.
As you can do mainly everything with python API it may be indeed a bit dangerous.

I haven’t tested if you can disable python execution when loading a .blend , but still execute your own code to extract your pickle data. But sound possible.

Resetting factory defaults on your side restore the generally anoying feature in the preference that block python execution , so you’ll be safe indeed .
The only issue with that , is that it disable all drivers so rigs tends to not work as expected. But if it’s only to get your pickles data back it should be ok !

antivirus software sometimes has a “sandbox” mode.