Reading @anforowicz's Gradual CORB -> ORB transition it occurred to me there's another way we attempt to avoid hitting the expensive option. By checking if the file starts with %PDF- and such.

I suspect this will not help in the common case (as that ought to be legitimate JavaScript fetches), but it will make certain timing attacks harder.