Andi, it might be wrong, but what I see in my Network Tab (usually Firefox) is nothing that seems to be unusual regarding doku.php. I only can see two headers, one "Request" and one "Response". The same is true for all transferred objects. When asking a Chromium-Browser I can see a similar picture. After selecting there "Blocked Requests", the list remains empty.
Probably I can't see the forest for the trees, but I can nowhere detect something like a "Content-Security-Header" or similar.
What I can see in FF (Chromium looks similar):
Response Headers (376 B)
HTTP/1.1 200 OK
Date: Sat, 06 Aug 2022 14:43:04 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Cookie,Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Request Headers (462 B)
GET /doku.php?id=start HTTP/1.1
Host: <my-wiki.local>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<my-wiki.local>/doku.php?id=start
DNT: 1
Connection: keep-alive
Cookie: DokuWiki=n2clhgufgjo920tbuqtqjufoaj
Upgrade-Insecure-Requests: 1
Well, you've asked about my intention. Good question! I got the impression that the server is sending only the alternative text- information, like :-)
. I thought that the MIME-type could be the reason. Meanwhile I detected that even PNG-files are obviously marked as being of type "text/html" and all of those are visible.