These are not delivered along with the notification-- they're provided (client-side) by the application that the notification was sent for. So, while a notification could display dynamic content here depending on the content of the notification (for example, this is the same mechanism as used by Mail on iOS for mail previews) and the preview code should take the untrusted nature of the content into account if it does, it doesn't have to and it's not any different than running the application itself in terms of security issues.
No. Nowadays you should still disable JavaScript as well as video playback in your browser if you want to be safe.
There was a brief period some years ago where browsers looked "pretty safe", but we have quickly backtracked by stuffing JS and browsers full of new APIs that are creating new vulnerabilities.
Edit: Yes. Downvoting will surely reduce the amount of CVEs.
I mean you might as well just disable all connectivity on your computer if you only feel safe by not having CVEs show up in a search. Generally people want to still receive content though and are looking for the safest ways to do that, not ways to re-enact Bubble Boy, and for that browsers actually rank pretty good against most any other ways to get dynamic content.
The question wasn't "what is the safest way to display dynamic content", the question was "is displaying dynamic content (this way) safe".
And the answer is no. Web browsers are the safest way to run arbitrary code in a sandbox on your computer - which is what dynamic content in this context really means - the same way that aiming at your feet is the safest way to shoot yourself.
