The way they usually work is they give you some string and you sign it to prove you own the address.
Could a malicious air drop make a transaction sending all your BTC to them, and then you sign it, and then they broadcast it to the network?
Or is signing a message different than signing a transaction?
there's no way it can give u malicious thing expect u give them the Private key of your addres , as long it public addres its fine
No signing a message is completely different. It just proves ownership of the wallet. It cannot be used to send or receive any bitcoin. Nothing to worry about.
Keep your privatekey safe and you will be fine. Also you need to remember to take care what wallets you use. Some wallets might be scams and steal your privatekey.