we believe we have fully solved this issue. turns out, despite firefox claiming in errors that it was a CORS issue (leading us on an interminable goose chase), it super wasn't!
more details coming in the patch notes today but tl;dr: attachments were going straight to our digital ocean spaces URL. this URL is, for reasons unrelated to us, on a popular Phishing Blocklist that's included as an option in ublock, pihole, adguard, etc etc etc, although not on by default for any of them. this is why we couldn't repro with what we believed were the exact settings reporting uses were coming in with.
we handled this by routing uploads through a different domain.
please let us know if you're still seeing issues!
