> It could be used to tie that logged in user to other web sessions that are currently anonymous.
If those other sessions are anonymous, why do they have the token?
See, I'm not very experienced in web-dev, and I'm very much aware that I may not know what I am talking about.
I'm just trying to understand how the tracking data in the bearer token will "leak". Can you give me a scenario, like "Client goes to SiteA, is then redirected to login on SiteB which grants the token, and then goes to SiteC which reads the token".
You may have different personas that you want to separate. Ie your identity as a local county representative, your identity with a socialist online forum, your identity as employee, your identity as someone discussing weird sexual kinks.
For all you need to identify but you don not want them to be linkable to each other or your government-issued ID.
This is part of why relying on phone number validation for gatekeeping is an issue. (Try registering at Discord or Twitter via tor. I'll wait)
If those other sessions are anonymous, why do they have the token?
See, I'm not very experienced in web-dev, and I'm very much aware that I may not know what I am talking about.
I'm just trying to understand how the tracking data in the bearer token will "leak". Can you give me a scenario, like "Client goes to SiteA, is then redirected to login on SiteB which grants the token, and then goes to SiteC which reads the token".