I would be more interested in a study of people entering credentials or taking other risky actions after clicking.

Yes, people whose job includes lots of link clicking are going to click links.

And one obvious but good conclusion: invest in mandating MFA for sensitive actions.

Exactly. I don’t think I’m alone in feeling that Google’s clever privacy engineering isn’t enough to keep any of us safe.

Google’s expectation that we be okay with these practices feels like corporate gaslighting, to me.

TL;DR - Google makes (arguably insane) claim that it previously acted responsibly with regards to fingerprinting, and says they will begin acting irresponsibility with fingerprinting in February.

Practical take-aways you probably already knew:

• Today’s Google may do or say anything to make an extra nickel.
• Today’s Google, while it employs some excellent privacy minded engineers, has not demonstrated an organizational commitment to user privacy.
• It is probably wise to assume that the next serious data breach at Google will end marriages, get politicians arrested, get famous people canceled, fuel successful scammers, and have every other privacy impact you can imagine. We know the Google data pool is massive, and we have reason to believe it is incredibly personal. I’m aware that Google has anonymozation solutions in play, and I do not believe those solutions will be effective in a breach scenario.
• I believe that the average person will likely be better off ten years from now if they interact less with Google services.