SVG is a minefield so massive it's hard to give an exhaustive list of everything that could go wrong. Especially when these kinds of assets might be hosted on user content domains and where webmail clients might allow access to the SVG content with inline disposition but outside of an IMG tag (most browsers enable/disable various SVG features such as JS or an app cache manifest according to context). There are also a ton of weird rendering modes that can be triggered for SVG (or MathML) and these can be used to bypass XSS sanitizers by means of mXSS which exploits differences in browser renderings when roundtripping content.
And sites with strong CSPs are often especially vulnerable to scriptless attacks, perhaps because they feel more protected. For example, in 2019, there was a bug bounty disclosure to Fastmail about a way to intercept and proxy all email attachment downloads, completely client-side, and yet without involving any JavaScript, simply using HTML5 AppCache. This also affected a whole lot of other providers, but the Fastmail team patched this within 24 hours, a pretty amazing response, and the quickest by far.
I've said it before, I'll say it again: the web needed a vector answer to jpeg, but what we got was a vector answer to html+css with all their commensurate vulnerabilities and complexities.
is PDF. Yeah, PDF has drawing commands. Most vector formats are based on command sequences, that map 1-1 with what you'd find in a drawing library like Cairo. EPS and PDF both work that way, which makes it even more of a typical vector format than SVG (which only does the command sequence thing with paths, AFAIK). Of course, it's not that well supported (the in-browser reader does who-knows-what to get it to render, I think it's converted to DOM elements), but it is the other major browser-supported vector format.
