Hey @tbinna, so sorry for the delayed response, just wanted to give you an update on this:
Both project and issue type avatars should be private and we will be rolling out a patch to ensure that’s the case within the next few weeks. Please assume those URLs will require authentication and any requests coming from third-party apps will need to be proxied.
Hope this makes sense, and please let us know if you have any further questions! 