@Prem_IB the file which contains executable code is recommended to be downloaded, for example XML, SVG, txt, etc. let us take a simple use case, usually, we use a .svg file to render the images, but at the same time, you can also execute javascript within the SVG file. The problem with this is if you open the SVG within the browser then there is a chance that the attackers can run malicious code in the browser.
In this case, you need to set the correct mime type that is image/svg+xml and also use Content-Security-Policy: script-src ‘none’ to disable the javascript execution while loading the SVG file in the browser.
It is good that create and upload .svg file only from the developers. if you give it to the end-user or content authors then you need to set up proper governance and everything should be reviewed and approved.