[dawnerd]

I was thinking if an image is injected, it'd be injected by a script loaded from the plugin thus trusted.

[tinus_hn]

It’s a logical thought but that isn’t how it works.

A script doesn’t really inject an image, it injects an image tag which contains a reference to the image. As the image gets loaded there is no check who created the tag.