Comment by lathiat
12 hours ago
It wouldn't surprise if Apple had fixed this, it's the sortof thing they would fix, but it may be worth trying with 2 devices not from the same iCloud account. Wouldn't surprise me if the code paths were subtly different in that case.
They would seem to contain identifiers as law enforcement have been able to follow up on instances where there has been airdropping of perverse images, but as noted by others the files don't include names.
The problem with airdrop (and likely why the 10 minute setting now exists) is that it includes a preview image as part of the notification request.
So other than being able to subject someone to perverse images, preview images have also been used in state-sponsored zero-click attacks to infect the phones of their targets. While that vector seems to be muted for now, the 10 minute setting provides a layer of defence against both potential future zero-clicks and receiving unsolicited previews images.