Michael Bell from Bellular Studios just did a video about it if you want something to listen to. It is pretty much all of it that was said here.
How Baldur's Gate 3 Humbled AAA

I use Docker Mailserver . It is pretty lightweight, but it does not come with any fancy GUI for configuration, that is done on the command line mostly.

You actually can prevent this easily with CSP (content security policy). That header tells your browser which adresses it is allowed to load additional data from when visiting your site. It is an important tool to prevent cross-site scripting attacks, your browser should not load data from random sources when it is on your site.
Of course you would have to funnel all inline images through a site-local proxy that the browser is allowed to load data from.

This also has not only security implications, but also with the GDPR. Some jurisdiction consider ip addresses as personal data. Sending them to e.g. the US without user consent would be a violation. I know it is stupid to consider ip addresses as personal data and it is stupid to consider a browser loading data as sending that personal data somewhere on the sites' behalf. But there is a reason why a lot of websites for example only embed tweets after you explicitely allow it.

It is pretty straight forward if you use the provided docker-compose file with the nginx internal proxy in it. Just add traefik as per usual to the internal port 8536 of the proxy container.

If you have configured that tailscale node as Subnet Router or Exit Node then yes, that is supposed to happen.