Whether you’re talking about privacy (spammers know they have a good email address if you request the image from their server) or more serious security problems (I’m one of those lucky ones who got a worm from a jpeg 2000 image), yes, the risk is real.
Well actually you can force images to display in most email clients despite their preference settings. Fortunately most people are not equipped with the knowledge and skills to do it , since if it were easy to do then a lot of usefulness would be stripped out of email clients to protect users from the knuckleheads who would be stuffing all manner of often tasteless and vulgar stuff in our inboxes.
Basically the way such a thing is done leverages the same principals that allow one to attach a pdf or other file to an email message or send both a plain text and rich text version of a message, by using the mime multi-part protocol.
This looks nearly identical to the format of a form method=post as received by a script on a server and involves
the differing sections of content being separated by whats called a boundary string and related content-id and content disposition headers.
one takes their image(s) and encodes each as a bas64 string , making note of the content-id and setting the content-disposition to inline. then in the text/html section of the multipart one can use the image’s content-id where they would have used a url, and ta-da , your image is displayed.
Like I said , it’s a good thing it’s complicated. I do such things from time to time , but only with the opt-in of users electing to receive such mails. It is sorta cool though , at least when people actually want it.