The safe harbor provisions largely protect X from the content that the users post (within reason). Suddenly Grok/X were actually producing the objectionable content. Users were making gross requests and then an LLM owned by X, using X servers and X code would generate the illegal material and then post it to the website. The entity responsible is no longer done user but instead the company itself.

So, if someone hosts an image editor as web app, are they liable if someone uses that editor to create CP?

I honestly don't follow it. People creating nudes of others and using the Internet to distribute it can be sued for defamation, sure. I don't think the people hosting the service should be liable themselves, just like people hosting Tor nodes shouldn't be liable by what users of the Tor Network do.

Yes, and that was a very stupid product decision. They could have put the image generation into the post editor, shifting responsibility to the users.

I'd guess Elon is responsible for that product decision.