And it’s the reason why proxying media through your Lemmy instance is important. It is not yet implemented though:

https://github.com/LemmyNet/lemmy/issues/2947 https://github.com/LemmyNet/lemmy/issues/1036 https://github.com/LemmyNet/lemmy-ui/issues/54

If you consider your IP address private info, use Lemmy with a VPN, until this issue is resolved.

I personally don’t do anything with data received from requests to that image endpoint, except make an image and send it as a response. I will take that endpoint down when the issue is resolved (or after some time).

If post images are proxied, there’s still inline images that potentially make arbitrary requests: