The canister message payload size limit is indeed 2 MB. Subnet-local canister requests may go up to 10 MB, but we will be deprecating that now that chunked Wasm uploads have been implemented (since the metrics seem to show that requests larger than 10 MB are only ever made to the management canister; i.e. they appear to be canister installs only).
But for whatever reason, the ingress response payload size limit is 3 MB.