As I noted within my post #9955859@lemm.ee (alternate link), I found that thumbnail generation in Element is an enourmous privacy, and security vulnerability. Thumbnails are generated server-side, regardless of E2EE settings. What this means is that the URLs that one sends would be leaked out of your encrypted chats to the server.
I agree. That’s a terrible choice to me.
Why would they not just offload this as a feature for the client to handle? At least then the security and privacy ultimately would be up to the user’s decision.
Post a link to a channel of 1k users and 1k users send a request to the website, instead of only the server once?
/edit: From a privacy standpoint I’d really trust my chat server provider over random websites. So I definitely don’t see how it’s a terrible choice for these two reasons.
That being said, if you’re concerned, disabling previews is the answer.