That's when you're caching a whole page which contains images. The OP is talking about putting the CDN in front of a bucket which doesn't serve anything but images (= 100%).

You can easily work around that problem by putting the CDN in front of everything, including web pages and API calls, not only your bucket of images.

OP might want to do that anyway, since the attacker will now be hammering their Rails app instead of just the bucket.