Why is the security limited to 256-bit?

[bingmatv]

The doc says any output longer than 256-bit doesn't provide additional security, why is it limited to the default size?

[oconnor663]

Most (all?) hash functions that support extended outputs have a similar property. As the hash accepts input, it mixes that input block-by-block into some sort of state. Then at the end, either that state just becomes the output (SHA-2), or it gets mixed up some more to produce one or more output blocks (SHA-3). If an attacker is able to find a collision in the state at any point in that process, then they can can feed in any additional input blocks they like, or produce as many output blocks as they like, and all of that will still be colliding. So the size of the state is an upper bound on how much security the hash can provide. (The security could be lower, though, if the output is truncated for example.)

BLAKE3 is a little different, because the state is actually a tree, but the logic is basically the same. If an attacker can find a collision anywhere in the tree, that lets them produce collisions in the output, so the 256-bit internal tree node hashes (formally "chaining values") are an upper bound on security. (The way 1 KiB chunks are processed also resembles SHA-2.)