Yes, i was thinking about that too, it can be even worse if there is some way to do some remote code execution, and it would be very easy to infect a machine, so for example i can upload some malicious file to my blossom server and then make other server pull it from mine... But if im not mistaken the only way to deal with this would be to not set any relay or cdn for discovelability of files, but this will also limit/kill the usability of the server... Maybe nostr:npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr can enlighten us more
Discussion
Discovering and downloading (or streaming) blobs from other servers isn't part of the blossom spec but its something I added to my blossom-server implementation
By default the example config has it setup to check cdn.satellite.earth and nostr 1063 events to find blobs, but if you want you can turn it off in the config https://github.com/hzrd149/blossom-server/blob/master/config.example.yml#L15-L30
I don't know if there are any security implications of downloading a blob. but its possible an attacker could flood a server by asking it to download everything from another server