Usually the risk for something like is that if there's some unexploited bug in the USB stack or the OS. Which, from what I know from writing software, I don't trust shit.
I think the risk is insanely low for your average person because you'd have to use an unpatched bug on a well-supported system, you'd have to put bug a USB port in a popular place, and you'd need a reason to do all that.
But at the same time, this is well in the wheelhouse and capability of some bored teen with a lot of time who wants to screw with people FWIW. You could also have fun and write a worm that infects everyone that connect to your USB port and have it DDoS a website or something. The first worms were created by bored people.
I think the risk is insanely low for your average person because you'd have to use an unpatched bug on a well-supported system, you'd have to put bug a USB port in a popular place, and you'd need a reason to do all that.
But at the same time, this is well in the wheelhouse and capability of some bored teen with a lot of time who wants to screw with people FWIW. You could also have fun and write a worm that infects everyone that connect to your USB port and have it DDoS a website or something. The first worms were created by bored people.