Many sites use gravatar in such a way that it exposes identity. They hotlink directly to gravatar. This means you can do stuff like brute force email addresses.
Discourse makes a copy of avatars.
If a user wants gravatar updates on Discourse they must click the refresh button.