Of course the general consensus on reddit is "lemmy devs are clueless and dangerous". I'm pretty sure a lot of it is one guy with multiple alt accounts, tho. He has a Joe McCarthy attitude about lemmy because of one of the primary devs.
This shouldn't be hard to fix. Lemmy needs to proxy images, there's an open issue for this. Right now, I don't use Lemmy outside of Tor Browser specifically because of issues like this, and the recent XSS vulnerability is making me even more concerned. Lemmy is a great project, but it needs work and probably a security audit.