I would personally have chalked that up as usability-- because there are facilities for secure file transfer between computers, but I get the argument.
Particularly since the common tools like SCP give way too much access unless you go through special effort.
> Floppy disks, Hard disks
As you note there are 'auto run' like issues, also file systems are not historically very robust against against malicious data.
Hard disks themselves have host flash-able firmware and microcontrollers and get either DMA access (e.g. over SATA) to the system or get USB connected and the ability to pretend to be arbitrary usb devices like HID or exploit vulnerable usb drivers. So at least in theory a compromised system can turn your drive malicious such that it compromises other systems.
Though an attacker that sophisticated probably also has hypervisor escapes.
Was there ever a case in the wild of malware being installed into a host by inserting a floppy disk, without entailing the user boot off it, run a program from it, open a datafile crafted to exploit existing software, etc?
I always thought if you insert a floppy (with any OS autorun crap turned off of course), open a textfile to read, then take it out, you'd be pretty safe. (It's unfortunate the same can't be said of a USB drive).
It's been a decade but I have previously fuzzed multiple linux file system implementations and was able panic the kernel. I would be somewhat surprised if none had code execution vulnerabilities at some point, but I can't think of any publicly known ones off the top of my head.
Of course there absolutely have been auto-run vulnerabilities too. And modern Linux desktops have more auto-running auto-indexing stuff than ever. I've absolutely seen mounted drives being eagerly explore by gnome thumbnail generation stuff and likewise.
The challenge for modern security isn't avoiding vulnerabilities, it's avoiding whole classes of behavior that might be vulnerable because the attack surfaces are so huge that we'll inevitably miss vulnerabilities so long as they're not structurally impossible.
So for example, I'd always prefer to interact with a potentially malicious file system via an ephemeral read-only VM that reads the files and exports a network-fs like interface to my working system... It's just too hard to be certain there are no filesystem vulnerabilities-- they have huge surfaces and they're not usually tested against that. I can't even be sure latest genius systemd feature doesn't silently run stuff on removable media (just as it did stuff like given unprivleged users the ability to modify the system time without clearly documenting the change), if it's allowed to touch it. And if there issues are I'll be thankful that the malware payload would have also had to contain a VM escape for it to compromise my system.
- Malware which can bridge air gaps has existed for several years now and is becoming increasingly common.
Floppy disks
Hard disks used like floppies (especially plugged into a RAID controller with "auto run"-like features disabled)
Audio modem
Manual transcription via keyboard