The way they usually work is they give you some string and you sign it to prove you own the address.
Could a malicious air drop make a transaction sending all your BTC to them, and then you sign it, and then they broadcast it to the network?
Or is signing a message different than signing a transaction?
Airdrops are meant to be free and in no case whatsoever are you required to send anything to them. Also, when they asking for private information like signing of message which involves your keys, you need to be careful especially when they provide a link for you to access your wallet with. Most airdrops are fraudulent and one really needs to be careful with the way they go about it; the first step should be having a separate wallet for all that pertains to it.