I have already asked the same question before on the forum, sorry for posting again. l asked the following question.
"I am trying to display images (png, jpeg, gif, svg) directly on browser instead of letting the users downloading it. I've read from so many places that having content disposition header as inline might cause some security issues, and it is better to have it as attachment. Can anyone provide me a scenario where this might be a problem?"
From the answers from my previous post, I could see mostly the security issue are caused when a malicious attacker injects a script along with the image. Can we tackle this problem by adding a Content-Security-Policy script-src 'none'? my use case for this question only requires the displaying of the image on browser window, and nothing else.
It is good that create and upload .svg file only from the developers. if you give it to the end-user or content authors then you need to set up proper governance and everything should be reviewed and approved.