We only allow a whitelisted set of content types to be displayed inline (not including SVG).
Actually, looks like I may have made a mistake in my test. It doesn't seem to work as simply as I thought. You may be able to get the uploaded SVG embedded in a context where script does run (object, iframe, etc) and I would imagine it'd be running in the served domain context, though I'd have to confirm this.
SVG most definitely has been an attack vector before -- GMail was bitten by it, for example (involved code running in their domain context).