Turns out this has nothing to do with AWS, NextJS or any of the code, it's a MS Word Trust Center setting. I found two possible solutions (depending on your security appetite):

Option 1 - Find the downloaded file in your file explorer, right-click --> Properties, and check the 'Unblock' box at the bottom. This needs to be done on a file-by-file basis.

Option 2 - Open Word and go to File --> Options --> Trust Center --> Trust Center Settings --> Protected View and unselect the 'Enable Protected View for files originating from the Internet' check box. Then restart Word and thereafter, all files will open correctly.