I think the main issue here is that the secure_upload_analyse_and_update is a little heavy-handed when it comes to determining what should and shouldn’t be secure, because the UploadSecurity class (https://github.com/discourse/discourse/blob/master/lib/upload_security.rb) checks where these public type of uploads (e.g. avatars, category logos etc.) should be secure or not at upload time, and this type is not present when checking again in the rake task.
I have a task tracked internally to improve this by checking all the places an upload can live at the time of this security check but it is a way off, and is part of a larger plan to have upload references stored in a neater way.
Anyway, I have a PR building now to fix this issue by making category logos and backgrounds public types when considering whether they should be secure or not. Once this is merged and you have updated you will just have to re-upload the category images and things should be fine.