I think that base64-encoded absolute server_filesystem path to the image file is the security hole (image.php using this path as imgp-parameter).
I propose to export only path, that relative to the brilliant gallery albums directory.
This path will be used in brilliant_gallery.module when we need to export it as part of the URL.
Then, relative path will be expanded to the absolute path in the image.php, using relative path value that was passed in base64-encoded imgp parameter.
For more security, the .htaccess file may be used to protect brilliant gallery albums directory from exterior HTTP access.
I thing, this is the critical issue.