I'm getting a bit tied up in knots with the practical implications of fingerprinting. I'm concerned about commercial profiling, not hiding from three letter agencies.
Suppose I use only privacy-respecting apps in the owner profile. I browse with Brave or Vanadium. I use a VPN. I only browse websites which don't require me to sign in. Despite this, my web activity is still being tracked via browser fingerprinting because it's essentially impossible to prevent without using Tor Browser (or maybe Mullvad Browser).
However, since I didn't log in anywhere, there is no concrete identity associated with all this data. So there is a profile at data broker D saying:
"Individual 44943244 visited site S1 at time T1, site S2 at time T2, etc"
This won't be a complete list of sites I've visited, because not every site has trackers and maybe the browser's anti-fingerprint protection fools some others, but it will include most sites.
I now create a separate user profile or private space which uses a different VPN. I install my bank's own app and WhatsApp in there. I only let these apps run for a few minutes at a time when I actually need to use them.
Both of those apps know my real name. They can fingerprint my device.
Is all this technically correct so far?
Now assume those apps provide their information to data broker D. Does this allow filling in my real name on the previously pseudonymous web activity profile of "individual 44943244"? Either immediately, or as more data collection happens.
Is this just a theoretical possibility or is it actually routine?
Is there any way to reduce this risk without keeping these untrusted bank apps/WhatsApp on a separate phone?