Well, test files shouldn't be affecting the actual production binary.
But in practice that's not something that can be enforced for arbitrary projects without those projects having set something up specifically.
For example, the project could track the effect on binary size of the production binary after every PR. But then it still requires a human (or I guess an AI bot?) to notice that the increase would be unexpected.
Debian often removes these kind of binaries by patching the upstream tarball. When they are not used, that should be quite easy anyway.
That's why the attacker put the statement in the first place. It increases the chance that distributions will accept these.
But in practice that's not something that can be enforced for arbitrary projects without those projects having set something up specifically.
For example, the project could track the effect on binary size of the production binary after every PR. But then it still requires a human (or I guess an AI bot?) to notice that the increase would be unexpected.