I would think what matters is whether or not you’re attempting to form a shared identity that links activity between devices, installs, site visits etc when the user hasn’t explicitly created an account in all of those places. Basically anything that’d allow you to map out their activity regardless of if they have an account or not is what’s problematic.
With some exceptions (such as social media apps) I don’t think it’s generally first party devs who are doing this, but rather third party SDKs that are popular with devs, e.g. Google Analytics, Firebase, Facebook SDK, etc.
That just means that you need to be creative with shuttling data around. Web tracking identifiers can ride in on deep links for example, which are then persisted to user defaults. After these identifiers have accumulated from a few different sources you then have a reasonably high-confidence fingerprint of the user.
To help this along the app can do things like kick the user out to their main browser to do some routine thing, where cookies can be accessed. The user doesn’t need to deep link back to the app in that case, the app can pull down whatever tracking info was harvested during the page visit and persist it.
With some exceptions (such as social media apps) I don’t think it’s generally first party devs who are doing this, but rather third party SDKs that are popular with devs, e.g. Google Analytics, Firebase, Facebook SDK, etc.