Most likely that's correct. Unless there exists some MacOS issue where just loading the thumbnail or metadata from that file would lead to exploit. It's extremely unlikely that's the case of a 0-click unpatched exploit on a random public file, but just wanted to note this for completeness - if you're paranoid about this case for some reason, it's possible in theory.
macOS does have quicklook generators, and the system seems very eager to register things with launchServices even before the app has been opened once. Perhaps this has been tightened on recent macOS versions, but otherwise it seems theoretically possible to get code running in a "0-click" fashion, simply by mounting a DMG which contains an app with a qlgenerator and another file with matching file type.