The security implication in this case is not directly related to content-disposition. It could just as well be implemented using the download attribute. The gist of the attack is that it was possible to inject arbitrary javascript into an html file that was downloaded. After opening the file locally, the usual browser protections do not apply since it's a local file and the javascript can use this to escalate its privileges.
