Yes exactly. And, ironically, many of these solutions can make you less safe; at one of my former employers we had something like this, but the problem is that since you're getting a cert from the MITM server, you're not able to inspect the cert from the real server, and at least in the case of the Cisco product we were using, the MITM server wouldn't bother to inspect it either; expired certs, certs with the wrong CN, self signed cert, didn't matter - the MITM server would ignore the problem and happily replace the cert with a valid one signed by the company CA.
That is more often a configuration issue than a technology issue. MITM proxies can be configured to reset connections to sites with invalid/expired certificates.
Every place I ever worked did exactly this. They use a protocol called WCCP which is essentially source routing, so if you're going to the internet on certain ports it routes you to a proxy server instead of whichever router it normally would.
Most companies big enough to do this already have their own internal CA installed on all the machines, for internal sites, so they use that same CA to sign the mitm cert. With so many sites using HSTS it can be annoying if you access a site while off the network.
As far as them knowing the content of a particular image they would need to have some kind of machine learning like this extension.