de0u One piece of good news is that many restaurants, coffee shops, etc., have free anonymous Wi-Fi, which can be used for the OEM-unlock handshake.
moddel Yes, however a lot of public WIFI have captive portals or are otherwise provide heavily port restricted internet access which could interfere with the registration.
I do not recall any reports of that happening on this forum. I do recall lots of reports of people using public Wi-Fi networks to OEM-unlock Pixels.
moddel Has anyone identified which app is running on stock pixels that is responsible for this unlock?
I recall one such claim: https://discuss.grapheneos.org/d/12693-oem-unlocking-which-appsservices-are-responsible/6
moddel If Google requires an internet connection to oem unlock a pixel then as soon as that stock device hits the internet raw, all privacy bets are off.
Is it possible to list specific privacy threats?
Let's say the Pixel reports everything about itself to Google when asking permission to OEM-unlock: serial number, IMEIs, MAC addresses (all of them). Google already knows all of those values, because Google stored those values in the phone. Probably the device transmitting any one of those is good enough, because Google plausibly has all of those values in a single database row for the device.
Google also gets some sort of IP address for the phone, e.g., the coffee shop's IP address. Perhaps the phone also reports its location from GNSS, and also reports nearby cellular-site identifiers and nearby Wi-Fi SSIDs.
Now Google knows that a specific Pixel was first powered on at a specific location (at a specific time).
Then what?