The main concern that I know of it allowing python script execution at runtime. You can put malicious code in text files and/or drivers.
As you can do mainly everything with python API it may be indeed a bit dangerous.
I haven’t tested if you can disable python execution when loading a .blend , but still execute your own code to extract your pickle data. But sound possible.
Resetting factory defaults on your side restore the generally anoying feature in the preference that block python execution , so you’ll be safe indeed .
The only issue with that , is that it disable all drivers so rigs tends to not work as expected. But if it’s only to get your pickles data back it should be ok !