Also, in case you haven't guessed it yet, all of this can be used to fingerprint a browser's identity--but not a user. In my previous company we had a piece of software that reported all sort of HTTP/2 packet traces, which then we fed to a machine-learning algorithm to know which connections were actual browsers and which ones were bots[^1]. It worked fairly well, but we never had to flex it very hard because it was at a time when most Internet bots were still running in HTTP/1.1 while most actual browsers were running HTTP/2.
A corollary of the above is that image-identification captchas in mainstream CDNs are not what they purport to be, but something darker and weirder.
[^1]: bots not powered by browser automation, that is.
A corollary of the above is that image-identification captchas in mainstream CDNs are not what they purport to be, but something darker and weirder.
[^1]: bots not powered by browser automation, that is.