de0u Issue #2314, while not fully verified, seems plausible.
Quotesquestioner i think don't really get it. What i understand in there is, that apps can currently (Mon,Sep,23) fingerprint my device in theory. Is that right?
I don't think that issue yet contains a report which solidly verifies that the issue leads to powerful fingerprinting and in which circumstances.
For example, there is a recent comment that makes allegations about SnapChat but provides no proof and doesn't cite any source.
There is a report that the Media DRM i.d. persists across a factory reset within GrapheneOS, but that post doesn't make it clear whether or not the i.d. is shared across profiles, and it also doesn't discuss whether flashing an OS resets the i.d.
The issue doesn't contain any reports on whether (as Google documentation suggests) different web sites accessing the i.d. receive different i.d. values, or whether the i.d. would work for cross-web-site fingerprinting.
Overall, I think there is enough information to be concerned (which is why I filed the issue), but it is not clear that the exact extent of the issue is understood. More hard data might raise the priority of the issue with the GrapheneOS team (but comments on the issue that don't contain hard data, e.g., "This is important!", may result in the developers locking out comments, which would make it harder for hard data to be accumulated).
This might be a big cross-site/cross-profile fingerprinting technique, but it also might not. It would probably be useful if somebody could spend a couple of days with a couple of devices, flashing a couple of OSs, factory-resetting a bunch, creating multiple profiles, etc. And it would probably also be useful for a web developer to wade through the Media DRM API and set up a couple of test web sites with different domains. I suspect it would be productive for people running experiments like that to add detailed comments to the issue.
Please note that I don't speak for the GrapheneOS project.