This won't work if implemented browser-wide as malicious website will just adjust the URLs for their images to compensate. In general, URL file extension snooping only causes more problems than it solves.
Maybe. It seems sensible to me that if the UA is requesting a path that ends in .jpg (for instance), they're expecting a JPEG and the UA should accept image/jpeg. At least if this escalates the arms race, user-hostile websites won't commit this specific crime, instead they'll serve content that better matches the URL.