How is that? Itcan send whatever it wants as query strings(e.g timestamp, current window etc)

Browser fingerprinting is a thing. In fact I suspect most of the supposedly GDPR compliant (so no cookies or local storage) still use fingerprinting in the background because you can't prove it's happening from the client (and the law is not being enforced anyway).

Most fingerprinting relies on Javascript (or maybe some CSS shenanigans) which you could prove from the client.

Using fingerprinting for tracking is not GDPR compliant.