Thank you for posting this.
Just to make it clear: We do actually think it is a very important issue, but as you said, Kirby is not directly affected by it. It’s just a security issue that users of any CMS can get into if they don’t do it right.
BTW, the code that does the transform from the “bad code” to safe text is as simple as the following line:
echo esc($exif->data()['ImageDescription']);