Thank you very much for clarifying this and for the example of how you’re doing it (likely more efficient than my current mess - sometimes you miss the bigger picture when you look too hard). I suppose I read too much into the guideline!
The data:image part was a poorly chosen example to express what I thought the guideline was meant to prevent, I don’t intend to actually do something like that. My concern was more along the lines of the possibility to inject scripts, e.g. if the backend was compromised or if I had bad intentions, but I realize now there are technical restrictions in place to prevent this kind of abuse already.