Users associate application behaviour with file formats.
Analogy: people think PDF files are safe, but aren't aware of the constant stream of RCE vulnerabilities that is Acrobat Reader & how widely it's used, which invalidates their model of behaviour associated with PDF files.
i don't know why spreadsheet applications don't standardise on a file extension that they won't screw with. call it csf or something. treat it like pure CSV except don't interpret =/@ or any of the other weirdness. basically just interpret all fields as plain strings as default [even if they look like numbers]. this way everything is backwards compatible old 'weird CSV' files still work and those that care about their users can use .csf and the files won't endanger their users.
That would make safety an "opt in" measure, it should be "opt out" instead. Make the CSV format stop interpreting formulas unless you specifically ask it to. Most people don't put formulas in their CSV files anyway.