that requires the given parser (the web browser, the image lib, etc) to arbitrarily run code in the first place
At the most base level, every image is data, and any data can theoretically be code. The image’s data has to be parsed (like you said) and the parser can be exploited to trigger code execution.
I don’t think you understand how exploits work. We’re not talking about “running JS in an image viewer”.
https://blog.cloudflare.com/inside-imagetragick-the-real-payloads-being-used-to-hack-websites-2/
https://www.bitdefender.com/en-us/blog/hotforsecurity/openjpeg-vulnerability-allows-execution-of-malicious-code-using-crafted-images
At the most base level, every image is data, and any data can theoretically be code. The image’s data has to be parsed (like you said) and the parser can be exploited to trigger code execution.