When you share public posts, photos are transferred to users of other systems along with the text of the post. Occasionally a photo gets lost along the way, but that's no issue with authentication, but with federation.
Things change, when you share a private post with photos.
On Diaspora you can have EXIFs automatically removed from your photos in the settings section. You always upload a photo into a specific post. The photo is assigned a link and the photo is public. Yet the link to a photo contains a long string of random characters, so the photo is hard to find.
Friendica and Hubzilla have photo albums. So users can upload photos into posts or into photo albums. That means the access to a post and the access to photos are controlled independently. Friendica and Hubzilla also do not automatically remove EXIFs from photos. Depending on your settings EXIFs can reveal the time the photo was taken, the camera model and the location. EXIFs can be removed before uploading a photo.
If a friendica or Hubzilla user uploads a photo into a private post, the access to the photo will be private too. Unfortunately that doesn't work across networks. If a friendica user makes a private post with a private photo, Hubzilla and Diaspora users will see the text of the post, but will only see a placeholder instead of the photo. It's the same for Hubzilla users sending to friendica and Diaspora.
So what can Hubzilla or friendica users do, if they want to share a private post with a photo across the network?
They can upload the photo first and make it public, then the photo can be seen by anyone looking at their photo albums in their account. That may be fine if the photo shows something mundane that only becomes personal in the context of the post. They can upload the photo to some other place (Nextcloud, own website, PixelFed,...) and embed it into their private post. That means the photo will not show up in the albums of the account.
Hubzilla users can make their private post with photos accessible with a guest access token. That means they create a link that allows access to their channel and shows the private post with photos to anyone who has the link. They can set that guest access token to expire after a certain time. I have used this option and I think it's one of the coolest features of Hubzilla. The photos remain private and even if the link ends up in the wrong place, the access to the post has a time limit as an additional safety feature. In addition the token links to the channel, which means one will see all public posts and the private post(s) that are allowed with the token. In other words a visitor will end up looking at news and flower photos, scrolling, and not knowing what to look for unless he got some info what the post is supposed to be about and how old it is. If the token has expired, the post in question will just have vanished. All the other posts will still be there.
You'll find more notes about this topic here: https://hubzilla.a-zwenkau.de/channel/anna?f=&cat=Decentralized