Correct and it's just one of many reasons why checksums and signatures are so important in package managers. There's an automatic enforcement of privacy and integrity.
Package manager installations are normally built from source by the distribution maintainers, not downloaded as binaries from the Mozilla website. So they wouldn't have any "download identifier", unique or not, in them.
Looks like Chocolatey gets the binary from download.mozilla.org [1], while WinGet gets it from download-installer.cdn.mozilla.net [2] (which looks to be the HTTPS repository mentioned in the article, thus being exempt from tracking?)
This is the difference between a distribution and a simple package manager. Linux distributions have a more holistic approach to this and enforce it with checksums, signatures, reproducible builds, etc. A package manager really only cares about managing the packages installation, dependencies, etc. Not the integrity of the packages themselves.
It doesn’t look to me like the tracking stuff is on the HTTPS repo links, so they’re probably telling the truth about that. They also ship a version in the Microsoft Store, that should be safe too (I don’t think Microsoft shares user identities for free apps with the developers, maybe I’m wrong?)
Which is what 95% of users would do though.. the average user will use Windows or Mac and has never heard of Chocolatey. Firefox is not in the Mac app store and I guess not on Windows either.
