When pasting an image into a comment, the email renders something like F424: Screen Shot 2015-11-06 or {F424}.
Users with to see the content of the photo in their email.
We probably can't reasonably just attach the photo (That could end up big), but embedding <img> tag for a direct-download of the image might work.
For reference, GH uses the "Everyone with the link" security model (i.e., there's an no-security obfuscated link to the content). This might be a little extreme, but it gives users the behavior they like.
(Actually, this might already be possible using some combination of configuration I'm not thinking about).