[hombre_fatal]

This doesn't seem to have much to do with Wordpress or its plugin ecosystem but rather an oversight since the behavior itself isn't necessarily a bug. I think the "well yeah, why would you use Wordpress?" comments kinda miss that.

It's a ubiquitous practice to serve file uploads from a place outside of webserver middleware. This happens pretty much any time an upload permalink is on a different domain or subdomain, and it's standard on probably 90% of platforms.

Discord and Twitter file upload urls would be an example off the top of my head.

It would have been prevented if the public url used a random UUID, for example. But that's also not the behavior users necessarily want for most uploads.