I’ve been around the Internet for a while now to see people abuse forums. Per the GitHub repo, I see that EXIF data is already stripped from images, but I’m not seeing any mention of extra data detection on Lemmy.
If I was at home I’d test this myself, but it’s extremely trivial to hide data in images. This is commonly used by less technical distributors of CSAM, as well as some malware, and should be looked out for if it isn’t already.
Not sure, but it is easy to configure the auto-conversion to another format like webp which will likely destroy any such hidden data.
Edit: https://git.asonix.dog/asonix/pict-rs is the image backend, so have a look what it can and can not do.