That's more like the case with the Do Not Track header being defaulted to 1 in some browsers and many (most?) sites using that as an excuse to not honor it.
I think it is a good outcome too. If people really want relevant and targeted ads, they will opt-in to no-DNT and yes-FLoC. The fact that people don't, and that websites don't honor DNT, reveal their lies and hypocrisy.
This is the important part regarding "security". Websites choose to not honor "DNT" headers.
Clients can just as easy choose not to honor no-floc headers.
Which is why I'm saying that this is not a security-thing. If people can just choose to ignore your security-headers, they are not a security-feature. At most they are a suggestion that, when followed, make the client honor privacy concerns from servers.