Hi @Alexandr
Thanks for reaching out.
Our approach for the Forge platform is to be secure by default. This means that all egress is either blocked or under the control of the customer admin.
We however, allow some internal Atlassian services & images to be included by default, such as our avatars URLs and some internal APIs that enforce tenant isolation. More information can be found here
However, we cannot just allow all images by default, as embedded images can be a source of security threat, with mechanisms such as Steganography and the use of Polyglot image files which can lead to XSS attacks.
As mentioned by @clouless we are looking at opening up the restrictions with the support of configurable egress which aims at putting the approval and configuration part of the egresses back to the site admin.
However, we have not committed to what those configurable egresses would mean for the Runs on Atlassian eligibility.
Hope this helps