Pictures can use three types of vulnerabilities:
1. In your server settings. If you can upload a picture and refer to it, and it will remain unchanged and may not be a picture, but a script that will be executed on the server. It is eradicated by checking MIME and returning static without processing.
2. In the user's libraries (old versions of libpng, for example). It almost never occurs in the wild, but if you like, you can transcode files using ImageMagick. In practice, we find that checking MIME and transcoding IM solves all your problems. At the same time, one more thing - you will not be piled up with files of such a size that the hosting space will suddenly run out.
3. And here the third option pops up: attacking IM itself with all sorts of formats that support external links. It is eradicated by limiting what can be downloaded and processed at all, PNG and JPG, and then processing them with IM.
And taking it to another server is about nothing at all. Just increase the lags. They do this for very high-load projects ... but they don’t ask such questions there either ;)

I read a lot about the fact that when users upload images, you can often pick up a malicious script (shell, backdoor, etc.)

If you rely on the name that the user gave when saving the file, then yes, there will be a huge hole. And if the name in the script is somehow safely generated, then there will be no hole, the server will not execute these files with a PHP interpreter. For example, as a name - a hash from the contents of the file (at the same time it will help fight duplicates), as an extension - either jpeg, or gif, or png, based on the first few bytes of the file (if it does not fit into any of the specified formats, then refusal)