It is possible for an attacker to save a malicious link or image ip address logger as profile image and most of the nostr clients leak IP address for the users if they view the profile image in an event or elsewhere.