Images based on 4CC codes internally, the parser will ignore
any 4CC codes it does not recognize. This could allow metadata
to be added. Or it could allow just about anything to be added.
It would be pointless for a Windows group to sit around
hypothesizing about things for which no standards exist.
Which could be discovered in any reasonable way.
If we were to do that, we would start with a sample JPEG file, and
examine it forensically for "crap". Just as we had to mess around
with heic and heif when they were presented to us.
There are image formats not based on 4CC and packet style carriage,
for which these sorts of things aren't going to happen. The parsers
in such cases are brittle, and you'd notice if someone had injected
crap.
If you use a gis file format, that's a carriage designed to purpose.
And not a "secret agent - known to a cloistered few" method.
And AV scanners *do* scan images for things that should not be in there.
It is just as necessary to scan a JPEG as to scan an EXE (stack smashing).
I could carry information via steganography, but... I'm not a secret agent.
I posted a link to such a tool, a few months back, but did not test
it myself, as I have no interest particularly.
Color laser printers use steganography, so that if you print bank
notes on a color printer, an identifier for the printer is embedded
in the pixels (yellow noise). But you'd only have a problem from the
Secret Service, if you happened to pay for the printer with a credit card :-)
For a format to be useful, if it was covered by standards, then I
could pop your modified image into Photoshop, and access the information
you added. Somehow, I don't think that's going to work, without at
least a third-party plugin. Just like the steganography app, you
would need the same app, to extract the message at the other end.
The method used is not standardized. There is more than one
steganographic method (more than one encoding), and one steg app
is not going to be able to extract a message from a different steg app.
The fun for the authors of these, is their claim it "cannot be detected".
Steg is an in-band method, adding 4CC packets is an out-of-band method.
Paul