yes you can just set the right CSP headers + the right MIME headers and those images won't get executed. So the XSS part is at least covered.
In general to proxy images through a virus scanner makes sense.
Also you probably can't protect yourself against certain malicious images github.com/fuzzdb-project/fuzzdb/tree/master/atta…
you can add a virus scanner (clamAV) on the server to prevent certain viruses. we did this for one of our customers.
those are my initial thoughts :)