I think all of those bullet points are really good things, but to be fair, people were concerned about Gravatar usage as early as February 2013 (and keep in mind the denominator of how many Discourse “people” were around back then was much lower):
https://meta.discourse.org/t/is-gravatar-indeed-a-privacy-leak/779
AFAIK Gravatar was “always” used, at least from when I started with Discourse. And the difference here (and a source of OP’s original concern, I think) is moving from a local to an outsourced solution by default, without any notice or chance to opt-out before it happens.