I can see the use cases for these custom headers but I’m not comfortable with leaking even more internal information like client IDs to third parties.
The current image fetcher operates on the client side and already leaks the client IP address to third parties when loading external images within channel descriptions.
If these headers get added, there needs to be a way to whitelist specific trusted URLs or URL patterns to receive those headers.
You can’t brag about your awesome encryption features but then have the client broadcast internal data out into the world, even if it is just IDs.
And before anyone argues that IDs are not secret:
There is a difference between exchanging essential data between server and client in a controlled environment which is subject to ACLs and the server broadcasting that data out into the world without anyone even thinking about it.