There has been some recent discussion in the news regarding Advertiser ID tracking.
https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data
https://www.texasobserver.org/texas-dps-surveillance-tangle-cobwebs
The basic idea presented in these articles is that companies are exploiting information related to a devices Advertiser ID to locate and identify individuals. This service is being sold to Law Enforcement entities. The process is more nuanced than this, but please refer to the articles if needed.
I have communicated with individuals who have access to tools like the ones mentioned in these articles and the basic summary of those conversations is that the ability is possible, but is very dependent upon a users settings. A traditional iOS or traditional Android user who allow excessive permissions to everything on their phone would be more at risk of being 'exposed' using this technology as compared to someone with more strict settings.
GrapheneOS & Google Play Services:
The FAQ section clearly discusses Non-Hardware identifiers, including Advertiser IDs
https://grapheneos.org/faq#non-hardware-identifiers
The advertising ID is a Google Play services feature not included in the baseline Android API, so it isn't an API included in GrapheneOS. The advertising ID is unique to each profile. It isn't unique to each app signing key like ANDROID_ID, but that makes little difference since apps within the same profile can communicate with each other with mutual consent. It's comparable to ANDROID_ID but provides an 128-bit value so it provides a strong cryptographic guarantee against collisions, although a device messing with apps could set it to the same value used in another profile. The advertising ID is exposed via the Settings app and can be reset to a new random value, unlike ANDROID_ID which remains the same for the lifetime of the profile, but apps can tie it to the previous ID since they can detect that it changed via their own ID in their app data. The advertising ID can also now be disabled (zeroed).
Using the search tool, these two previous discussions involve Advertiser IDs, but don't seem to end in a conclusion on the topic.
https://discuss.grapheneos.org/d/1997-automatically-delete-advertiser-id
https://discuss.grapheneos.org/d/566-cellular-carrier-discussion-thread/31
Finally, my questions assuming a GrapheneOS user installs Google Play Services in the manner suggested by GOS are below.
1) Given the sandboxed nature of GrapheneOS, what information could be derived being related to a GOS phone's Google Play Service's Advertiser ID?
2) Current user controlled settings allow a GOS profile to 'reset' the GPS Advertiser ID, but I do not see an option to disable it, or zero out the ID. Is this still an option?
Settings > Apps > Google Play Services > All Services > Ad Safety > Ads > Get new advertising ID
Thanks