A slightly less nasty hack is putting this in the HTML head part of a custom theme component:
<meta name="referrer" content="same-origin">
That doesn’t remove the HTTP header, and I couldn’t find any definitive info if the HTTP header overwrites the HTML meta tag or the other way around, but at least according to a quick test with whatsmyreferer.com, it seems to work: no more referrer header is sent on outgoing links.