I'd think opening a PDF in your browser would be at the same risk-level you associate with going to any random URL. On Firefox at least, I'm pretty sure the built-in PDF viewer is simply JS parsing and rendering the PDF anyway -- nothing with elevated permissions:
> I'd think opening a PDF in your browser would be at the same risk-level you associate with going to any random URL.
Probably pdf.js is more secure, as it is more modern than the HTML/js engine, it contains less legacy code, it is written in a higher level language, and they could implement a safer subset of the pdf standard, than they could do with the HTML/js standards.
https://mozilla.github.io/pdf.js/