What world is the author living in where PNGs aren't very frequently read and written with no user interaction. The web obviously displays PNGs with no prompt, sites can generate PNGs with canvas trivially and with no explicit permission. PNGs are also often displayed in notifications and may come from untrustworthy sources.

This feels like an irresponsible downplay of the severity.

That four new CVEs (two high-severity!) were found in a mature and well-tested library like png reminds me how non-trivial and unforgiving software engineering can be.

Security flaws are often just waiting behind the corner: this should be humbling lesson for all of us.