Well, the EXIF data is going to include the focal length at least, I assume all that data is part of the blob being signed. So it would be pretty annoying to make sure the image aligns with what that lens would capture at that focal length, but yes the "analog loophole" strikes again.