I guess I can get around it by turning off iexssprotect, but wouldn't it be better if media_contentcheck() first checked mime times to see if the file is text or a valid binary image instead of first assuming it is a text file?
No. The check is there because mimetypes cannot be trusted because IE is stupid. Read https://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting
for background info.
It might be worth to reevaluate the issue in 2019. I believe content type sniffing can be disabled in more modern browsers via headers so we might be able to get rid of this "feature".