Some thoughts on this. First, you've to clarify the rights for the profile pictures. This heavily depends on the jurisdiction under which your services are measured. However, releasing pictures of humans, it's a promising idea to ask for consent by the humans themselves.

Secondly, there's no need for inclusion of the picture claim in the ID token. You could provide it solely on the user info endpoint as well, so only applications which make use of the claim will fetch this data from there.

In other words, it depends on your usecase and requirements.