The key part of that phrase is "directly available via web-space". Unsanitized uploads into your web space are a problem. Period. Whether that sanitization comes from an application taking out the nasty bits, requiring a human to vet them, or trusted users being the only people with access to the upload, they need to be sanitized.

Let's take one simple application of your example: an open upload server that accepts image files and presents them directly to web space. Let's suppose that $anonymous_user finds this service. Let's also say that this $anonymous_user has a taste for images outside of the social norm, and even outside of legal boundaries. Let's now say that $anonymous_user uploads some of these images so that they can be shared with other users with the same tastes. The server owner is now in a position of helping to distribute these images. Lucky guy.

You are correct when you say that neither uploads or databases need to be an attack vector. Making them directly accessible into public web-space, however, falls on the "is an attack vector" side of the line. Is your quibble with the missing "public" from my statement? [note: added to original]