@email@example.com That's why I mentioned initially that I'm concerned that they'll open the number of websites up after a while.
I don't mind the current way of link previews, but I'm quite sure it won't stay that limited. And that again open up the mentioned attack vector.
About the proxy implementation: The proxy can't mask the UA as do a layer 4 proxying. So it's up to the client implementation. That again doesn't seem to implement any special mitigations to hide the UA.
This is my personal microblog. It's filled with my fun, joy and silliness.