The real question is why iOS caches notification payloads to a persistent SQLite DB in the first place. The notification content only needs to live long enough to render the banner and be shown in the lock screen shade. Persisting it to disk for a month past dismissal isn't a "bug", it's a design choice that someone signed off on. Signal can set UNNotificationContent to show empty/placeholder text, but the default path for any app that hasn't opted out hits this cache. Worth reading the 404 Media piece for the forensic tooling details, this isn't a 0day, it's Cellebrite reading a plist.
I’ve been looking into reproducing the extraction of unredacted data. Found this, and it’s speculative, but Magnet Forensics has an internal “infomercial” on reconstructing content from notifications, too.
“find the inclusion of this information interesting because there is a chance that this still contains communications even when the record has been deleted from the sms.db file. I've yet to find definitive proof that this is the case however and it's possible that it is purged at the same time as sms.db is cleared.”
From: https://web.archive.org/web/20220120174606/www.doubleblak.co...
See also: https://theforensicscooter.com/2021/10/03/ios-knowledgec-db-...