That's true but it will really limit what information they can gather from you in the first place.
For example, the article mentions they knew about browsing habits but that wouldn't be the case if they couldn't see you.
I suppose it comes down to "we have the data, so let's use it"... we need to stop the mass-gathering in the first place then these "bugs" are meaningless.
You are correct, that is why I point out that regulation is the solution. Blocking what ads we can in the mean time is just a small way we - as unwilling users - can show that we are are unhappy with the way things currently are.
Depends on the block really. If you are using a blocker that just removes it from the UI, then yes the auction is still occurring. If you are blocking the JS code from even executing, then no data is transmitted. Unless I'm totally misunderstanding things, if the code doesn't run, then nothing happens.
For 3rd party ads, that is sometimes correct. What blocking js does is prevent cookie stitching, ie the joining of the first party id with the 3rd party cookie id. This is necessary for external ad networks.
Twitter runs mostly their own ads afaik, so they don't face this problem.
This is why I run uBlock Origin, which blocks the ad-tracking code at the network level. Pretty much anything in a third-party iframe doesn't even get to load from the server; the browser simply doesn't make the request. Doesn't stop anything the origin runs, but most origins don't; the third party embeds are generally the biggest threat.
This is also why Twitter having problems is such a big deal; as far as I'm aware, Twitter is serving their own ad-tracking code, rather than a third-party's code. Thus, it's harder to block completely, and any vulnerabilities might (somewhat) affect even users that are running privacy extensions.
It depends on the site. For example, a Twitter timeline or Google search engine result page only needs the https request for the auction to take place, as the ads are mixed into the first-party response.
Third-party ads inserted via javascript behave as you describe.
Blocking third-party cookies (by using ublock origin or a pi-hole or firefox) helps prevent more actors from observing your online activity, but simply by being in the ad auction, third parties can get a lot of indirect information (via real-time bidding, or RTB).
For example, the article mentions they knew about browsing habits but that wouldn't be the case if they couldn't see you.
I suppose it comes down to "we have the data, so let's use it"... we need to stop the mass-gathering in the first place then these "bugs" are meaningless.