So it’s not that there’s something inherently vulnerable in handling webp, just that they both used the same library which had a vulnerability. (Presumably the article was a little vague about the Apple side because the source wasn’t open/available.)
I don’t think it’s inherent to how webp is processed, just a common denominator somewhere between Chrome’s implementation (which uses libwebp) and Apple’s proprietary implementation (which might or might not use libwebp). Whether Apple uses libwebp or not, it still has important implications that the most common methods to implement webp support were vulnerable: if the problem is with libwebp, well a shitload of software uses libwebp. If the problem is with some proprietary Apple code and libwebp at the same time, well that’s also concerning.
That sounds like a really strange thing to say.
I was thinking specifically of core OS functionality that uses image processing: file browsers that use thumbnails/previews, lock screens/screen savers/login screens that display images over stuff that shouldn’t be visible, notification panels that might show thumbnails, etc. Browsers are at least sandboxed, but I’m not sure the same is always true of everything else that needs to process image data.