Well, at least in the tiny part of the IT world I get to control, I always try to validate based on both the three letter extension and any common or sensible expansion of that. So ".jpg" or ".jpeg", ".jxl" or ".jpegxl" etc. etc. (And in most cases, I actually try to parse the binary itself, because you can't trust the extension much anyway.)
Well, at least in the tiny part of the IT world I get to control, I always try to validate based on both the three letter extension and any common or sensible expansion of that. So ".jpg" or ".jpeg", ".jxl" or ".jpegxl" etc. etc. (And in most cases, I actually try to parse the binary itself, because you can't trust the extension much anyway.)