Withhold the open-in-new-tab action for SVG previews. The link is a
top-level navigation to a blob URL, which inherits the app's origin, so
a user-controlled SVG containing <script> would execute as same-origin
script. Inline <img> rendering is unaffected and stays available.
Also give the icon-only header actions (open-in-new-tab, fullscreen
toggle, close) explicit aria-labels and mark their decorative SVG icons
aria-hidden, so screen readers announce each action instead of relying
on title alone.