It is. Everything in bluesky that runs on the AT protocol (like 99% of it) is currently public.
So if you as the OP detach your post from the QRT, all you are doing is posting a certificate (akin to a revocation cert) that declares the intent that you don't want their QRT to be connected to your post.
An app can still show it. Or it can show it behind a warning prompt. Or it can hide it entirely.
It's an intent and even if it was controlled entirely, a determined third party could still work around it so there's not much point in trying to stop them. Instead you operate on "Don't be a dick" principles.
So if you as the OP detach your post from the QRT, all you are doing is posting a certificate (akin to a revocation cert) that declares the intent that you don't want their QRT to be connected to your post.
An app can still show it. Or it can show it behind a warning prompt. Or it can hide it entirely.
It's an intent and even if it was controlled entirely, a determined third party could still work around it so there's not much point in trying to stop them. Instead you operate on "Don't be a dick" principles.