Currently using react-dropzone seems to solve most of the major issues for me. Use that to get a signed URL via API, then upload from client to image server directly.
Many exploits involve running arbitrary code hidden in encoded image and video files, notably Pegasus among others. This should be treated as cryptography.