-snip-
I would urge anyone thinking about doing this to think twice. The bootstrap.dat linked from the website could actually be some kind of attack, although I don't know exactly how the file gets used so I can't tell you what the vector might be.
Anyway, since 0.10, the bootstrap.dat method is basically obsolete. It is not faster than downloading directly over the Bitcoin network, so it serves no purpose.
Unless you end up getting an .exe file, it is not much of a risk. Bitcoin automatically verifies each block to ensure that it is valid.
Headers-first synchronization allows the client to download from various sources and verifies simultaneously.
I think you're right. I guess thinking about it, the .dat file is just checkpointed block data. I was thinking that maybe an intentionally malformed bootstrap.dat could be used to exploit the user somehow, but on second thoughts, it's not possible (in an obvious way, at least). Once verified, the user node consults the rest of the network, so bootstrap.dat isn't a viable attack channel.