The way they usually work is they give you some string and you sign it to prove you own the address.
Could a malicious air drop make a transaction sending all your BTC to them, and then you sign it, and then they broadcast it to the network?
Or is signing a message different than signing a transaction?
Do not enter your data when you perform airdrop, as there is a chance that the documents can fall into the wrong hands, and do not download strange files because the computer can be infected and your passwords will be known to other people.