The "code execution" in PDF parsing is what enabled this legendary zero-click, zero-day exploit of iOS devices: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...
That exploit is indeed legendary but the code execution involved is not JavaScript. In fact the iOS PDF renderer does not have JavaScript enabled.
Obviously a skill issue; a true hacker would re-enable it.