This looks really odd in relation to other fediverse software; Why /magic and required to be on the root of the domain? Why hard-require routing the domain part of the user ID when .well-known/webfinger exists? Why is there a X-Open-Web-Auth header which the spec only describes as “its purpose is unclear from the code”?
So many questions.

I definitely like the idea of distributed sign-in, Solid did a decent work of that many years ago after all. This particular proposal just looks rather odd.

The design of IPFS - using content-based addressing with append-only interactions - makes deleting/revoking basically impossible to implement, let alone guarantee.
There’s the dat protocol (now hypercore by holepunch) that handled this better, with content being addressed by key instead, so that the owner of the private part of the key could modify content after “uploading” it.

Unfortunately, hypercore still hasn’t really reached that stable point where you’d like it to be for developing a software like this on top of it.

Honestly, something IPFS-based would probably be a reasonable answer, but I don’t think anyone’s made a generic image hosting system on it yet.