Thanks for the info. Yes, as @tiberiuichim mentioned, there's some magic at work at the SSR node server level. A special route is in place intercepting @@images and @@download:
The SSR server injects the auth_token information in an inner request from SSR to Plone then returns the resultant image. All images and files work using it, to overcome the private images use case, since HTML src and href attributes can't inject the token in the bare requests made by the browser. This is working since the very beginning of Volto.
Thanks for the pointer! And, thanks a lot for digging and getting this fixed! Sorry for not having the time to take a look into it or investigate further.