I used to think you had to always set Content-Type: application/octet-stream to force downloads, but it turns out that Content-Disposition: attachment is what really controls that behavior.
If you want users to download PDFs or images instead of viewing them, setting attachment is enough. Keeping the correct MIME type helps with things like antivirus scanning and compatibility.
I only switch to application/octet-stream if I’m dealing with files that don’t have a clear MIME type or I want to block inline rendering completely.