Comment by ljm

Scenario 1 extended: Add this into an ad or a popover for a porn site and potentially capture some very compromising footage.

Scenario 3: Add it as a tracking pixel in an email.

I guess there are all kinds of scenarios since it's an unsecured API that responds with an image. You can trivially embed it in anything that renders HTML.