The firms would then have a much harder time knowing if the information is genuinely from end users, if they no longer collect directly from user devices.
Basically, the scoundrels don't trust other scoundrels. That's what's saving us from getting server-rendered first-party ads on most websites, that would make adblocking much more difficult.
Actually server side rendered ads would be a whole lot more acceptable to me compared to what we have today: less bloat, less risk of malware injection.
Personally, I could live with a some advertising if that is how it was served and it was slightly relevant.
When they want to try to track me around the web to see what technical and news sites I visit and then serve me ads for dating sites then I'll just turn on ny adblock again ;-)
What you're describing already happens. The only way to defeat that is with client-side mitigations like uBlock. DNS-level mitigations like Pi-Hole will stop the content from loading if the ads aren't loaded.
A lot of firms (maybe most?) which buy this data actually don't care about that much as long as you can otherwise demonstrate the data is valid. If the data is predictive over time, it's valid, and most firms will happily accept that demonstration (with the proviso that they cease working with you once the data loses predictive value).
The reason the apps use those SDKs directly is because there's a hierarchy of resellers. The app developers themselves are lazy and typically want the SDK functionality which is provided free in return for their users' data. They're not always in the business of selling data themselves, they're just ambivalent.
Then the SDK providers abstract their own involvement in any particular app while still getting data.