Nautilus trusts desktop files that have the executable bit set, and doesn't replace the displayed icon or the displayed name until it's trusted, which prevents from running random programs by a malicious desktop file.
However, the executable permission is preserved if the desktop file comes from a compressed file. A maliciously crafted file opened by the user could result in code execution.
Created nautilus tracking bugs for this issue:
Affects: fedora-25 [bug 1490873]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:0223 https://access.redhat.com/errata/RHSA-2018:0223