@jwz I know you use Safari, but maybe it has something like this as well...
For ROTW, In Firefox, you can disable webp image support. I think that will cause it to ignore content served with image/webp MIME type, and maybe remove it from the Accept: request header as well. I haven't confirmed this, but if true, it would prevent the exploit from working.
Go to about:config and look for this webp enabled option, and set it to false as shown.