Due to European privacy regulations, it's best to avoid request to third party domains initiated by a website you host. It's hard to achieve compliance with Discourse, as the Onebox feature makes the browser fetch the thumbnail from the original website, making it a third-party request. See the below oneboxed article:
https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/
You can see in the devtools that the image is downloaded from a third party website. As the article also points out, it's a GDPR issue even if the request has no cookies.
Currently I disabled onebox for my instance of Discourse, but I'd love to introduce it back in a way that more strictly respects privacy and isn't opening a way to get a fine
Discuss this on our forum.