Photos does a lot of extra work on import (merging RAW+JPEG pairs, generating previews, database indexing, optional deletion), so my guess is a concurrency bug where a buffer gets reused or a file handle is closed before the copy finishes.
Rare, nondeterministic corruption fits the profile.
They constantly ask for an example project, even if it's something that is easily demonstrated, simply by running existing Apple software, and creating a project, would be a huge pain.
They also ignore reports. Very rarely, I may get a ping on one of my reports, asking me to verify that it was fixed in some release. Otherwise, there's no sign that they ever even read it.
I usually end up closing my bug reports and feature requests, after a few months, because I'm tired of looking at them.
It's clear that they consider every bug report to be a burden. That's a very strange stance, but then, they are not a typical company.
I guess you can't argue with the results, as they have a market value North of 3 trillion dollars, but that does not make it any less annoying.
I've had pretty good luck reporting bugs to Google (notoriously bad!):
1. provide simple, crystal clear examples that cannot be due to third parties, misconfiguration or user error.
2. show that it's happening to a large number of mainstream users (not niche)
3. show that it breaks critical workflows and has no easy workaround (incl partial workarounds).
4. if you meet #1-3, then wait 6-9 months minimum (more if hard to fix). If not, wait 3-5+ years.
---
Favorite example: in the mid-2000s, I caught google maps confusing suite/apt numbers for street numbers. It got flagged as low priority. So, to get the team's attention, I reproduced the bug on a large Google offices. Six month later, bug fixed.
After that experience, I report everything to Google that breaks my workflow. Like clockwork, the biggies get fixed a couple of quarters later.
---
Want long? Try improving/fixing core issues with the API design of Linux or PostgreSQL: fix times can be measured in decades. Backward compatibility is insufficient - they rightfully worry about libraries and tools adopting the new APIs and then breaking legacy systems that cannot be upgraded even for mission-critical security issues.
---
NOTE: OP bug feels P0 and the better strategy is either mass media (incl HN) or networking to someone inside the company. I've hit those too over the years and can usually find someone at the company to send directly.
They also used to let anyone add any gmail address to a Google Groups group, and send out unfilterable spam as a message from that group.