Why is TLS fingerprinting not mentioned? This is what CloudFlare uses and it’s highly effective (unfortunately). It doesn’t even require any use of HTML, CSS or JavaScript, and so can even identify non-browser things.

real linux-libre distros do not offer microcode packages because they are non-free

https://stopthemingmy.app/

I would argue they’re not safe to use because they block security updates like CPU microcode in the name of absolute freedom.

F-Droid not being trusted. They build and sign a developer’s code on their behalf, so there is a chance for injection there.

There are reproducible builds, but I would argue it’s not taken seriously enough. Like right now nobody is publicly verifying Signal’s supposed reproducible Android builds and they’ve historically had problems keeping it working.

Also how most (or all?) Play Store apps (including FOSS) contain proprietary code.

I assumed the topic was more about online privacy.

You can use your own builds of Signal (or preferably Molly-FOSS) including a self-hosted server. You can bring your own push notification as well.