This should be resolved since SECURITY: Download allowlist for uploaded files · discourse/discourse@9c0642a · GitHub
We now have centralised logic to determine which files should be shown ‘inline’. That means that PDFs are consistently shown inline, and some less safe file types are consistently served as downloads. These changes should work on all types of upload storage (local & S3, with or without CDNs).