If the content-type header failed to get sent, or if a browser (lookin' at you, IE) chooses to ignore it in favor of what it thinks it probably should have been, then the result can get rendered as HTML. If you have some json that has angle-brackets in it (which, being JSON, would obviously not be HTML-escaped) and the result is rendered as HTML, this can result in your browser executing attacker-defined javascript in Twitter's origin.
Sending it as a "file download" has no effect on what happens when the endpoint is called via AJAX, but in the event that a browser navigates to it directly, ensures that even the dumbest of browsers do not render it as HTML.
Sending it as a "file download" has no effect on what happens when the endpoint is called via AJAX, but in the event that a browser navigates to it directly, ensures that even the dumbest of browsers do not render it as HTML.