I beleive Michael has touched on this many times in different threads.
The retreive from a url means just that and usually would be an html page. It will not parse images from a dynamic script and will not parse images if the img tags within the page are relative.
Images go into a users uploads page but once an image is processed and moved to data the uploads file is deleted.
On the third point Yes I suppose they could but thats why there is htaccess