pdf documents are usually not created by web developers but by other people and then uploaded to the website. all it takes is a way to have someones computer infect a pdf with malicious js code, which, (if such an infection is possible) is way more likely to slip through than an attacker embedding malicious js into the website itself.