The embedded
Emojican originate from a server that is different from the actor’s server.
How should the embedded content be interpreted, exactly?
Currently, Misskey (which doesn’t support sending remote custom emojis as reactions) seems to interpret the embedded content as if it’s a distinct emoji originating from the embedding document’s origin instead of the origin of the embedded Emoji’s id, which makes it look as if the embedding document’s origin has “stolen” the emoji, which has caused some dispute (https://kmy.blue/@askyq/113098896504372609, in Japanese).
If you are to attribute the embedded Emoji to the origin of its id, you cannot trust the embedded content (without a valid signature) anyway, because the embedding server can fake the href of the image so that it looks as if the id’s origin is hosting a hateful emoji, for example. I understand kmyblue’s GHSA-c7p6-c688-fhgp (in Japanese) is of this class of vulnerability.
On the other hand, Fedibird and Meisskey are considering dropping embedded contents of remote Emojis and instead refer to them by their object ids alone (https://fedibird.com/@noellabo/113102433357426082, in Japanese). However, current upstream Misskey doesn’t seem to be able to process this form (https://misskey.m544.net/notes/7191d1d707801604a514fd9a, in Japanese).