"But, if you’re logged in the intranet of Awesome Corp., once you open my dangerous.com website I’ll know that you have access."

How? The subresource is a url to an internal server (https://intra.awesome-corp.com/avatars/john-doe.png)... sure it loads from my browser, but how does that tell that info to dangerous.com?