Some models include executable code. The solution is to use a runtime that implements native support for this architecture, such that you can disable external code execution. Or to use a weights format that lacks the capability in the first place, like GGUF. Then, it's no different to decoding a Chinese-made MP3 or JPEG - it's safe as long as it doesn't try to exploit vulnerabilities in the runtime, which is rare.
If you want to be absolutely sure, run it within an offline VM with no internet access.
If you want to be absolutely sure, run it within an offline VM with no internet access.