It sounds like a link can be a file path and clicking the link just opens the file. If that’s the case, this is effectively the same risk as filesystem shortcuts.