I am however a little nervous of having it as a script, because then it is difficult to localize it behind a CDN.
I have done a lot of work to send scripts, css resources, and every single image to the CDN, so I can offload that to an image server that is better suited to handle this kind of requests. But enter the proxy, and if I want to use that functionality then I have to go now through the php script with the necessary overhead.
The image is already downloaded and validated as an image, saving it in data/ instead of internal_data/ and rendering the direct url directly seems like ideal. Yes, it means it could be hotlinked, but I can protect myself through .htaccess if I wanted to
Scalability wise, if I can avoid hitting my fleet of php-fpm, it saves me one thread of those, if I can avoid loading the permission system, that is another gain, and if I can offload to CDN/images server, even better.