Comment by weinzierl
My point is that nothing runs without at least one initial user interaction - which makes a big difference for security.
I believe this is even true for Acrobat with default settings, because while you can trigger JavaScript when a document is opened (/OpenAction) Acrobat will ask for permission.
I think I got your point but might have expressed myself badly. The pdf can run js and messes with the display right at opening time, without any warning or ask for permission.