By not having a plugin, all of the rendering done by PDF.js is contained within the sandbox normally provided for any page.

If a PDF is designed to exploit PDF.js, the worst it can do is the equivalent of a cross-site scripting attack on the page hosting PDF.js.

This is a huge win over the possibility of exploiting a bug in a plugin which runs outside of the browser sandbox.