Because for a dead simple read-only PDF viewer, I trust Google's security team over random Play Store app to properly sandbox the PDF and not let it do shady shit to my phone upon opening.

I'd trust Firefox more if they provided one, but in their absence, Google has the talent and the resources to do it properly.

Doesn't it mean the PDF file gets uploaded to Google drive then ?

It does not. It is just a name. The file stays on the device and is not uploaded to Google Drive.

No there's a local viewer

Samsung phones open PDFs in their Notes app. Besides that, I think most people just install Adobe Reader because it's what they know.

I'd expect googles pdf viewer to be comparable to others using well established libraries, such as poppler and mupdf.

Currently, most of the PDF viewers from f-droid report they have a security vulnerability and the f-droid app recommends uninstalling them. For example:

https://f-droid.org/en/packages/com.foobnix.pro.pdf.reader/

No explanation on what the vulnerability is.

According to the forum discussion [1] you can find the explanations (when they're not included in the app description) in the MaintainerNotes part of the metadata file, which is linked from the page that lists all vulnerable apps [2] and as "Build Metadata" on the page you linked. Not very obvious, but at least the info is available somewhere.

[1] https://forum.f-droid.org/t/vulnerability-warnings-in-f-droi...

[2] https://monitor.f-droid.org/anti-feature/KnownVuln

The ones on f-droid are each horrible in its own specific way - some don't support scrolling, some don't support pinch-to-zoom, some have UX from 2012, some don't allow you to save the file (how am I supposed to save a bank statement then?).

I quite like MuPDF. For ages its UI was small but dated; it looks less dated now. That said, I don't remember there being a save button...

No idea why people are complaining about the pdf readers in f-droid.

The MuPDF android versions are great, and KOReader is the best ebook and pdf reader I've ever used.

Maybe other people have other use cases, but the above work really well, and don't have known security vulnerabilities (since another commend complained about that).