You can even see the decline in posts and votes before GPT became mainstream. This definitely look more like search engine failing to get rid of those cheap copycats.
From the fix, I believe the custom emojis were not double checked after a user submits a post. The post data was used to display the emojis, and thus allowing injection.
The fix now is to search the emojis in the custom emojis list from the backend rather than the user post.
I would argue this might make xz safer mid-term. So much eyes on it. I’m not familiar with other solutions, but who’s to say the bad actor won’t try a similar trick elsewhere