I'm not familiar with the backend of how Pi-hole adds blocklists. Does it download a copy of the file and analyze it? If it downloads a copy, then it would be theoretically possible for someone to put malicious software in the file, and for it to then infect the machine.
Does it handle importing the domains in a different way, such that viruses and malware are not a concern?
For now, I'm being extremely careful and picky about which blocklists I add, only adding well-known and tested ones. I know this is best practice, as a poorly made blocklist can cause more harm than good, regardless of whether or not it has malware, but there are some lesser-known third party blocklists I would like to add. I just want to make sure I'm not going to give my Pi-hole machine a virus or anything by adding a blocklist.