How would I validate that any image is actually from my correct user
In short: use Signature Authentication.
If you run a website and can control the server side code of that, you can store your Transloadit secret safely, there. Your visitors will be logged in with your server. They will want upload something. Your server now generates a secret, knowing it's for a particular logged in user. It can tag the upload and generate a signature of all these parameters using the secret only it and Transloadit know.
Know when the files arrives at us, we'll also create a signature of the parameters using the same signature. If they don't match, and you set the option in your account that signatures are required, we'll reject the upload.
This way you can be sure that:
- Uploads only work for logged in users
- Uploads are tagged with user information, and this cannot be forged by them, as they don't have to secret to forge the correct signature for those parameters.