And it’s the reason why proxying media through your Lemmy instance is important. It is not yet implemented though:
https://github.com/LemmyNet/lemmy/issues/2947 https://github.com/LemmyNet/lemmy/issues/1036 https://github.com/LemmyNet/lemmy-ui/issues/54
If you consider your IP address private info, use Lemmy with a VPN, until this issue is resolved.
I personally don’t do anything with data received from requests to that image endpoint, except make an image and send it as a response. I will take that endpoint down when the issue is resolved (or after some time).
If post images are proxied, there’s still inline images that potentially make arbitrary requests:
You must log in or # to comment.
As of 0.18.0 this is still an issue