You can almost certainly narrow down the McDonalds with a wide variety of things - this example is fairly contrived.

If you can see outside of the McDonalds for street view to be usable, you're almost certainly able to determine what country it is in, and potentially the exact location, depending on what is visible outside.

If it's a picture that shows the menu, well, street view isn't likely to be super useful, but you'd have a trivial time figuring out what country it is in at that point - menus vary from country to country, even when they are still in English.

New Mexico has relatively few McDonald's restaurants because New Mexico has a fairly low population - only 2.1m for the whole state. With that in mind, it seems unlikely that that Cloudflare has a close enough POP for you to be able to specifically decide it's NM.

If I can see enough for Street View to be able to confirm location, it seems like I can just search via the data there and get far more narrowed down results. If I can see a Burger King and a Best Buy outside from the picture, I can just use one of the many mapping services with APIs to get a list of all McDonalds locations within a tenth of a mile of a Burger King and Best Buy and look through a smaller list. If I'm confident of the time zone, like you suggest we should be able to be, then that's an even smaller list.

I'm not saying this attack is useless by any means, but I don't see a world where the sharing of the pictures to begin with isn't the most significant opsec failure and doesn't open you up to being de-anonymized in a myriad of other ways.