This idea came into my mind after this topic.
Right now Waterhole embeds automatically all media (handy) files as far as I know and this does create potential security issues. External images/videos can be replaced with malicious files or NSFW content. There is no way to control this. Vulnerabilities risk is low, but still there was incidents before such as CVE-2015-8126 and hopefully modern browsers handle it better.
Easiest option would be to have toggle in admin to restrict auto/load embed of external images/videos. On the other hand there can be a more complex solution like screenshot down below (external image as well :P). That will show external content only if user agrees to and it could be used for NSFW content as well.
This is less "Idea" and more open discussion, because there is more important features in the roadmap and perhaps this could be achieved with the plugin instead?