It is subject to any file size restriction set by PHP or your server.
Keep in mind that you should not need to worry about bandwidth: the plug-in automatically rescales your image to a requested size on the server. A 50mb image (which could only happen, given the supported file formats, with a MASSIVELY high resolution image) scaled to, say 32x32px upon request, would be pretty low bandwidth. The original file would never be served - only used to generate the various requested sizes. Since disk space is not at a premium on my most hosts (and if it is, there are usually small server-enforced sizes), I don't see this problem as a major issue.
I strongly believe in simple plug-ins that don't litter WordPress with settings options, and I think it's a small niche that's concerned about huge JPG images being uploaded for avatars. That said, I'll strive to add a filter allowing developers to enforce avatar sizes in the next update.