Using macOS 26 and iOS 26 I was unable to reproduce their findings. I airdropped a photo from my iOS device to my laptop, and nothing in `mdls`, `xattr -l`, `exiftool -s`, `rg -i` showed my name.
It wouldn't surprise if Apple had fixed this, it's the sortof thing they would fix, but it may be worth trying with 2 devices not from the same iCloud account. Wouldn't surprise me if the code paths were subtly different in that case.
They would seem to contain identifiers as law enforcement have been able to follow up on instances where there has been airdropping of perverse images, but as noted by others the files don't include names.
The problem with airdrop (and likely why the 10 minute setting now exists) is that it includes a preview image as part of the notification request.
So other than being able to subject someone to perverse images, preview images have also been used in state-sponsored zero-click attacks to infect the phones of their targets. While that vector seems to be muted for now, the 10 minute setting provides a layer of defence against both potential future zero-clicks and receiving unsolicited previews images.
