I do find it problematic that the media file that I see might not be what the original author intended to share (due to a malicious server).
The media file (or its sha256) should be included in the event signature, and clients should verify it.