In %minbase and %mvd I use a simpler avatar algorithm that only honors the avatar images uploaded by their authors. Also, these clients do not allow you to upload avatars for other people.

Handling avatars this way solves this security issue.

I also think this is the expected workflow from people coming from other social networking platforms. You can't upload a photo for someone else on Twitter or FB.

This won't stop someone from uploading a photo of you, but it won't be appended to your profile page for everyone to see upon first load.