I'd prefer regular Debian packaging plus containerisation via systemd-nspawn or just the various systemd security features that use the same Linux namespacing features as Docker.
That is a pretty serious bug in whatever email program allows tracking images to work in email. Seems unlikely anyone would use such an email program. Which email program are you talking about?
If your e-mail program sends a HTTP request for an image based on an "img" tag in a HTML-formatted e-mail, it can get tracked based on the URL.
Many e-mail clients will not show images from e-mail addresses that are not in your contacts list for this reason (for example, Thunderbird). They make the user click a button to make the decision to proceed with the image download an explicit action.
All of them that I use commonly. Outlook, Thunderbird, and Mail.App all do (though in each case, the user has some control over "download external content?", often on-click).
