"Y'know, I'd probably be better off disabling remote images and CSS by default for third party domains here since one can actually embed off site content without using a frame."
"So that means you trust some random user with a website less than you trust iframely?"
"Well, I guess I don't trust them either, but at least if they turn out to be doing bad stuff, someone else is more likely to tell me about it."
"And you trust them less than Discord?"
"I don't trust Discord to be smart enough to scrape useful data from their CDN without using cookies."
No real conclusion here, just had a simple thought that turned into a complex thought. In all honesty I don't have an answer, but I do think I'll have remote domain images blocked by default and add them in on a case by case basis.
Splitting these into two parts because part 2 is very different.