Wow, I'm amazed by this. I was convinced that Google wouldn't have rolled out this new feature unless they had a way to avoid this sort of tracking. Isn't this exactly the privacy issue that led clients to adopt "Don't display images automatically by default" in the first place?
(Why wouldn't they let users combine this behavior with the old one? That is, don't display images by default, but if you choose to display them anyway, get the file from Google's proxy server.)
Actually, the most serious reason (and the reason why not displaying images was introduced in the first place for unknown senders) was the potential for exploits triggered via embedded images, e.g. http://news.netcraft.com/archives/2004/09/17/exploit_for_mic... or even just using it to bypass firewalls by having someone inside an organization execute a GET request (via img src=) from a browser inside the firewall. (P.S. This is one reason why write operations should always use POST...)
(Why wouldn't they let users combine this behavior with the old one? That is, don't display images by default, but if you choose to display them anyway, get the file from Google's proxy server.)