Yes, it is really dumb that some of these settings are exposed to all apps with no permission gating [0]. But it will likely always be possible to fingerprint based on enabled developer options because there are preferences which can only be enabled via the developer options UI and (arguably) need to be visible to apps.

0: https://developer.android.com/reference/android/provider/Set...

It's always boggled my mind what native apps are allowed to know versus the same thing running in a browser on the same device.

Because estimates suggest Americans lose about $119 billion annually to financial scams, which is a not insignificant fraction of our entire military budget, or more than 5% of annual social security expenditures.