https://html.spec.whatwg.org/multipage/embedded-content.html#list-of-available-images can be copied from document to document, but does not account for differences between such documents. E.g., they might have different CSP policies or one of them might disallow Mixed Content. We should probably only allow copying of this cache to take place if that does not break any of those security policies.
No idea if implementations handle this correctly today.
I'm not sure if I'm the best person to tackle this. Feels more like the terrain of @mikewest and @zcorpan.
See also https://www.w3.org/Bugs/Public/show_bug.cgi?id=28374 for some related discussion on the security model around images (and how it differs for "cors" vs "no-cors").
In Gecko CSP checks are done on any hit from this list, precisely because of this issue. See near the end of https://bugzilla.mozilla.org/show_bug.cgi?id=1206961#c15 and https://bugzilla.mozilla.org/show_bug.cgi?id=1206961#c65 for the discussion about this when we pushed CSP checks down into something more like fetch instead of doing them before even talking to the image loader.