Yeah, I think this is a compelling argument, but also, it's a decent argument against using Google Search itself, is it not? They can almost certainly already correlate a click on a search result on google.com with the Google Ads subrequest from the target page.
And, on the other hand, the fact that web bundles are signed and can be delivered by any origin means that a privacy-focused user agent could try to fetch the bundle indirectly via some privacy-preserving CDN - essentially DoH for web bundles. If you are about to load a site via some known web-bundle host (like https://www.google.com/amp/ probably), try sending a request to some Cloudflare Workers setup or something first.
Hm okay, but then wouldn't Google get the same fingerprinting data (IP, headers, TLS params) in either scenario, whether they're serving a bundle or just a script?
And, on the other hand, the fact that web bundles are signed and can be delivered by any origin means that a privacy-focused user agent could try to fetch the bundle indirectly via some privacy-preserving CDN - essentially DoH for web bundles. If you are about to load a site via some known web-bundle host (like https://www.google.com/amp/ probably), try sending a request to some Cloudflare Workers setup or something first.