Immich has a whole set of end-to-end automated tests to ensure they don’t accidentally make public any URLs they went to be private:
https://github.com/immich-app/immich/tree/main/e2e/src/api/specs
As a popular open source project, that would be e glaring security hole.
Using this proxy puts the trust in a far less popular project with fewer eyeballs on it, and introduces new risks that the author’s Github account is hacked or there’s vulnerability in he supply chain of this docker container.
It’s also not true that you “never need to touch it again” . It’s based on Node whose security update expire every two years. New image should be built at least every two years to keep to update with the latest Node security updates, which have often been in their HTTP/HTTPS protocol implementations, so they affect a range of Node apps directly exposed to the internet.
I like the project but use DIY Sway.