But previewing can involve automatically loading resources. This "attack" is very similar to CSRF in that your exploit involves making the victim load a specific resource. That's why in secure mail clients, nothing but plaintext should be rendered, and an optional "Load all resources" button is shown for when you trust the sender, and want to load any media elements that require HTTP onto your client.

Signal could mitigate this with something similar, where it didn't load the image file AT ALL, and instead showed a message:

<User> wants you to load an image from https://example.com/foo.png. Load image? > Yes > No