Unless they’re spoofing their MAC address, hardware fingerprinting is much more reliable and predictable. It’s easy to watch a MAC bounce all over the country/world in a matter of minutes.
At this point in history, it’s too late to implement identity protections. Your profile is already built, stored, and backed up. They even know your deleted edgelord MySpace account and that you unfriended Tom (you monster). I guess if you were born in a ditch without a SSN, and never signed up for anything, not even a house/apartment, you could go under the radar.
I’m speaking from the point of view of the app you gave permissions to collect your hardware data. Y’all are talking like I think a MAC is transmitted over tcp. I don’t need an intro to OSI. Those apps use the hardware data to know if you’re using Samsung, LG, Apple, etc and they store large databases of MAC addresses on individuals. They can even build a local hardware profile to see if you sold your device, to whom, and what device you replaced it with.