Why is TLS fingerprinting not mentioned? This is what CloudFlare uses and it's highly effective (unfortunately). It doesn't even require any use of HTML, CSS or JavaScript, and so can even identify non-browser things.
because it just identifies browser builds
those values are in no way random enough to be sure you're tracking a single user. it could be one or 1000 you're tracking. just because there's theoretically enough bits, doesn't mean they are all used. you can't use it to log people in, for example, you'll end up with people in other peoples accounts occasionally. IMO it's just a big scare.
Because when you collect tracking data for sale you don't care about every specific data point. You sell the data that is clean enough and scrap the rest, that's why tor browser recommends using the same window size for everyone, for instance, to make you indistinguishable and useless as a data point
but you don't know how clean it is.
it will never be completely useless tho. it just means all tor browser users who use this window size will get the same ads. for advertisers it's still better than not knowing anything. they know there's a group of people and some of them are into dragon dildos and some like to buy used underwear for example and then everyone in the group gets related ads if an advertiser decides to use it.
Personally, I'm okay with getting average ads, the less targeted ads are, the less chance it will have any effect. If course, it's better to use blocker to not see ads at all, but I don't always use it