Don't get me wrong: I'm all for spam filters, image blocking, script filtering, graylisting, firewalling, honey potting and the general application of flamethrowers on anything 419 related. Basically if it reeks of spam it needs to be killed with fire. Simple enough? You'd think so. Not for Mail.app.
Here's a standard false positive on Junk Mail:
Obviously, the black bars were added with Adobe Photoshop Elements by yours truly. Now my filters aren't particularly well-trained, because Google Mail catches most spam, so this being a false positive is not the problem at all. However, do you see the big "Load Images" button on the top? Do you see any images? That's not because I didn't click the button. This is a simple automatically generated message without images. "Fair enough, but maybe it's just to fill up space on text-only messages and it works on HTML messages" you say? Wrong!
Another false positive. See the big "Load Images" button? See the "XBOX LIVE" image? Yah. Good job, Mail.app.
I haz disabled the safety shizzles in Mail.app immediatly.
Does it only display inline (attached) images, or also images on a remote server?
Only inline images, as far as I can tell. It's not so much a security problem as it is generally retarded to show images supplied with (suspected) spam.
Plus a 'Load images' button and still displaying images.