The only 100% way is to resize the image from its original size to its original size, removing all "meta" information from it, and even better, changing the format. In order not to upload bmp/tiff :)
I'll put in jpg-meta " Creator="<? exec('rm -rf ../'); ?> and it will be a normal picture, which will pass all your filters...
And then I will include this picture through a hole in the inclusions of some thread. And it’s not critical for me - what extension it will have, how it was renamed and what rights it has. Just reading is enough.

getimagesize(); or is_image();

Not quite what you are looking for. And I'm not sure it will work. But if we are talking about a Linux server, you can try to set the rights to the folder for writing and reading. And inherit the rights to files inside the folder.
I remember that I often had a problem with executing scripts with web servers rented from a hoster, until the scripts and the folder were given execution rights

it is rather in the direction of viewing mime information and if there are no jpeg/gif/tiff/png/etc signatures, block it.
I would try to receive the first apura kilobytes of the file from the client. check whether the required signature is there and, depending on whether, either receive the entire file or say goodbye to the user.
corny because no one forbids me to rename exe -> jpeg and try to slip it into the loader and then use the link to distribute any slag, for example

I wrote in the next topic that checking by extension is enough. Without the "local PHP file connection" vulnerability, the security of passthru.jpg would not be affected.