The problem is that if you have a process using ffmpeg and an attacker feeds it a video with this codec, ffmpeg will proceed to auto-detect the codec, attempt to decrypt and then then break everything.
If the format is old and obscure, and the implementation is broken, it shouldn't be on by default.
Sorry, I probably wasn't clear enough in my comment. I was trying to say that being old gives some legitimacy for existing. Just because it is old doesn't mean it isn't used. Though yes, this should be better determined to make sure it isn't breaking workflows you don't know about.
But old AND obscure, well it's nice that it is supported but enabled by default? Fully with you there.
If the format is old and obscure, and the implementation is broken, it shouldn't be on by default.