It doesn't sound like opting out of Meta's, Google's, or Microsoft's tracking does very much

It doesn’t even seem like the companies are going to particularly great lengths to hide these violations; for those who enjoy digging into code, the study shows how the websites get around the opt-out ...
The Hacker News

Session Cookie Theft: You Showed Your ID at the Door. But Someone Else Has Your Room Key

Stolen session cookies bypass MFA because tokens remain valid for hours or days, enabling silent account takeovers without triggering security alerts.