Yeah, I actually was invited onto JS Party to talk about this and we went into further detail https://changelog.com/jsparty/243

You CAN make a file input look like something else and trick a user to click it, but the same applies whether it has the capture attribute or not. You CANNOT trigger a click event on a file input without some sort of user interaction. You CANNOT access the camera feed with JS. Only the actual file that captured, making it about as safe as the regular file input.

However, KBall brought up a good point that if the captured image contains EXIF data containing the location, then it would be slightly concerning that you would effectively know time and location of a user.