kirillan10
I checked that Canvas and WebGL data are the same for all Android profiles in Vanadium
It's supposed to be the same across all the devices with the same OS version, browser version and device model.
This site shows that my Fingerprint is unique and has never been repeated
They have very little data and it's heavily weighted to out-of-date browser versions. Chromium 133 just came out and very few people have it outside GrapheneOS. You're limiting the data to GrapheneOS users and 1/1000 Chrome users simply by being on the latest version of Chromium. Timezone and locale are probably enough for it to be unique combined with that with the tiny amount of data they have.
How possible is it to replace Canvas and WebGL?
Since the antifraud system clearly linked my payments made through completely different profiles and IP addresses (VPN), this is an extremely serious privacy protection issue.
No, it doesn't work the way you're describing. The fact that it remains the same between profiles and across entirely different devices with the same versions of the software is how it's meant to be. In general, it's likely also the same across device models of the same generation but they can be distinguish via screen resolution, etc.
How often does the Canvas / WebGL principle change? After each update or when switching between global versions, for example, from Chrome 131 to 132?
There's no specific answer. It changes when there are relevant firmware, driver or browser changes.
How can I install Vanadium of older versions? Where can I download them? I want to check what Canvas and WebGL HASH appear for older versions.
The major version of Chromium is communicated to sites and can easily be detected via available features and the current way things behave so there's no point in trying to hide it. The canvas / WebGL fingerprint wouldn't normally change for minor releases. There's no point in checking it across major releases, no fingerprinting is needed to detect those.
Can third party apps (Android apps) that have payment system SDKs integrated and request 3DSecure codes via WebView (or without WebView) request same information and get the SAME Canvas + WebGL?
There's no reason they would need to use a WebView. A native app can use OpenGL, Vulkan, etc. directly and they can also simply see what the device model is instead of trying to fingerprint it.
Since I make a lot of payments daily under different profiles, but always use different VPNs, it was a big surprise for me when sites can match these payments without any problems...
This is not what you're seeing. You're seeing that having a low reputation IP from a VPN contributes to getting banned especially if you're making new accounts, etc. Being on Vanadium does mean several things are different from Chrome due as not having WebAssembly by default due to the JIT being disabled by default, being on the latest stable / early stable before it's pushed out to most Chrome users, etc. Probably not actually related to what you're describing. Vanadium doesn't have nearly as many users as Chrome or Safari so the users do fit into a smaller group. This applies to any browser with a smaller userbase than those. This isn't something that can be changed by adding features and that has made it more and more apparent that it's not Chrome. Pretending to be Chrome is not possible and you can use Chrome if you want Chrome.