In this particular case, injecting content into the image to make someone read a false message doesn't seem possible. The pixel <img> tag has width and height set to one. This overrides whatever the image size is. No altered message will be readable.

This is true up until the point that someone finds a security issue with an image parser that’s present in a browser engine, and suddenly you have an RCE.