I was uploading a bunch of files yesterday to a flarum instance using this extension and forgot what file I was on (I was uploading individually), so I copied the URL and tried to access it. It worked.
A few days prior if I'm not wrong a GitHub exploit had this same issue, any assets uploaded would be saved EVEN if that comment/post was never actually posted.
This is the same case with this extension and it would be great help if this was fixed. Maybe store those files inside a specific folder that gets deleted every 24 hours (or less) and once a post has been posted, it moves it to an actual folder?
This may be too much work as if I'm not wrong it just saves the image to a folder and returns a URL. I might PR this if needed?