It’s probably something called “gaslighting”. If so, it’s intended to scare you.
Telling you a story, and showing you something hat doesn’t actually prove access.
That photo might be because your password is known and that would be Bad (and you’ll want to change that password Right Now, if so), or because of an old backup on your iPhone on a computer that your ex now has, or because you’re still in Family Sharing and haven’t exited, or because the old photo was previously shared, or your ex still has a trusted device, or because you have re-used a password across different services and have previously been caught up in some unrelated web service breach (and again If that password has become known, you’ll want to change that Apple ID password Right Now).
Again, enabling two-factor authentication on your Apple ID is important here, as has been suggested above. This makes it harder to wrest control of your Apple ID. And it’ll flag attempts to log in.
In the US, the folks that enforce CFAA 18 USC § 1030 tend to take a dim view of unauthorized access, if unauthorized access occurred here.
And for completeness, some folks will attempt to “phish” or spoof or otherwise con somebody else into exposing their (your) password:
Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support
I’m not as certain of the infallibility iPhone security as some of the respondents above, but I doubt that your ex has access to GreyKey equipment or similar forensics. And that would still require physical access to your iPhone. And a million dollars is a small expenditure in the offensive computer security business.