Someone tried this with an open source project I ran called bitmatch (now bitstring: https://ocaml.org/p/bitstring/latest/doc/Bitstring/index.htm...). They were running some scanning software that matched bits inside binaries, and felt they could threaten anyone who dared to use the word "bitmatch". Trademarks don't work like that since they only protect a narrow field of endeavour, not "no one can ever use this word".

They sent the C&D to my employer which made everything much more complex. I usually would have ignored it, but my employer's legal department was on my back about it, so I renamed the project to bitstring. For years my project was still top of Google search for "bitmatch". (I tried it now and I notice it's a different, Rust project, so the guy still didn't win in the end.)

I am completely unclear on whether publishing your project open source gives it (at least, the code, if not any deployed version) any kind of protection if Facebook etc. target it

I would love to get a lawyer's take on that, although I guess it would differ by jurisdiction - California and Ireland are probably the two key ones for most big tech

You are not responsible for what other people do, only what you do. If you feel the need to comply with a C&D by, for instance, taking down your work, you take down the repositories you are in control of and don't worry about others who forked the work. Worrying about them is the complaining company's job.