I suppose that brings this to a close.
I apologize for stirring things up over the holidays. Having been on the receiving end of identity theft (albeit due to a much more sophisticated exploit), and having dealt with the cleanup of networks compromised by leaked contact info costing millions in man hours, I felt it incumbent to push for an answer as quickly as possible. I have no idea how popular EM Client is so can only guess as to the potential fallout of a working exploit. However, it’s been my experience, and it’s generally accepted practice, to plan for the worst.
I agree it’s highly unlikely the avatar feature could be leveraged to expose someone’s identity, not only giving spammers a live target but also placing them at higher risk for social engineering and phish attacks. But for those unaware of the feature it does put them at risk even if an extremely small one.
In my humble opinion it really should be up to them to decide if the risk is worth the benefit avatars bring to their email experience. But it’s hard to make a choice when completely unaware of the stakes.
I’m happy to say I’m done rocking the boat over this. If what I’ve shared isn’t enough to demonstrate there’s a risk that’s good enough for me. I honestly hope no harm comes from it.