This is a security release.
The Content-Disposition HTTP header has always been set to inline which causes untrusted content opened in browsers to be rendered, including HTML files, instead of downloading. This release forces them to all be attachment. This has no impact on Matrix clients.
Users who use a restrictive Content-Security-Policy are not affected by any XSS concerns here.