Right. But even over HTTPS it's not rocket science to figure out that connecting to www.email1.hsbc.co.uk pretty strongly suggests you've opened an e-mail with an image. And the number of times you request the same URL tells someone... what exactly? Because HTTPS still tells people the number of times you access any URL on a domain.

Worst case scenario is the HTTP pixel request tells attackers that there is a verification chat happening.

HTTPS the attackers know a conversation is happening, but no idea what

But, I personally think the threat is being overblown (I am happy to be corrected though)