I think they might. Maybe not all and always, but a thing about terrorists which can be quite mind boggling at times is that not everyone seems to agree who they are. Just look at how many countries are still doing business with Russia and other countries with less-than-stellar reputations. There may be plenty of parties who would actually not mind doing business with disreputable entities, for various reasons. I would assume they'd try to be a bit clever, but I wouldn't be surprised to see lax controls.
"terrorist" is an opinion or a judgment, not an objective fact. A better term in a KYC context "sanctioned entity" or somesuch.
If someone X is comfortable doing business with/as entity Y but a bank Z is not, it's totally sensible that X would say Y to the bank Z and bank Z would block them.
It is highly unlikely, but not impossible. Anecdotally, I did see a case of a business that put a real location of the business they are working with, which happened to be in a sanctioned country. Needless to say, it generated all sorts of questions and eventual OFAC contact.
Bottom line is: it happens, but I agree with you that people that know what they are doing are not putting "Pay for assasination by Osama Bin Laden on 03/28/23" in reference field.
Not really responding to your question, but one of my friend jokingly returned money to another friend with a bank transfer titled "for jihad". Needless to say, both banks were not amused. They both were "verified" on the phone and confirmed they are not, in fact, actually terrorists. I wonder how many people-years banks waste on pranks like this.
Many such organizations are legitimate legal entities in some country and handle purchases; and of course there are sanctioned people as well, and a payment from or to them does include their name.
I know you should never underestimate human stupidity but even taking that into account this still feels like security theatre on the part of PayPal.