Definitely. There's definitely a few methods people can do to make you download some weird stuff, access your cookies and stuff like that just by visiting the site. It's really easy to make someone do it in an airdrop as well, just make it a requirement to receive the token lol. There's also the chance of the user just being completely brain-dead that the site/app requests access to your wallet and you just, well, accept it.

To avoid it if you really wanted to participate, you do it in a VM of sorts so that everything that gets there, lives there. It's not fully isolated though afaik? I'm not sure,  never tested it, but at probably at least a lot better than letting malware directly into your PC.