Currently the forum software just embeds the profile picture and embedded images in posts. This is a security risk for multiple reasons.
1. The linked website could use this to exploit security bugs in outdated browsers.
2. It is possible to see the IP address of every user who loads the picture (i didn't test this but the browser accesses the image on the original website).
3. The images are (if the link doesn't use https) served over http.
By the way, i got an error because my profile picture was served over http, i changed the link to https and when i logged in today i noticed that the image is gone, was it automatically removed because of the https link?
UPDATE: Just tried to set a custom profile picture and it just failed without an error when trying to use https link, the image is hosted on "i.imgur.com".