Here's a related, interesting example for BlueSky, on generating disguised links and preview cards (with content the url doesn't actually contain) for anyone curious: https://github.com/qwell/bsky-exploits
The article mentions there are aleady a few issues, some quite old. The article is useful for raising awareness and hopefully getting the fix prioratized higher.