As a fingerprinting surface FLoC has similar properties to the Battery Status API -- not stable for the same user over long intervals, but can be used to help match pageviews from different domains that were close in time.
Imagine sites like facebook, reddit, and google themselves who have more monthly users than the FLoC ID has bits to count. Imagine they store each result for a given user, and assume that, with high probability, when that value changes it is fairly adjacent to the old value. Now, you build a graph database of IDs and their relations. Finally, you link it all to users' profile metadata. You can build statistical distributions around each ID node based on users' gender, race, family status, interests, etc. and use those probabilities to guess at the precise interests of each new and unknown visitor. Also, those sites have a lot of outbound links. Now you can figure out that a particular ID has a high correlation with a particular domain, too.
But only the big sites like google have enough users to birthday-paradox their way into a meaningful ID graph, so you're safe from that tiny ad startup that also happens to be threatening google's business model...
Google, Reddit, and Facebook also have sufficient first-party traffic to just gather data, target, and sell ads the "old-fashioned" way. The independent and small sell-side is also hit hard by this.
But only the big sites like google have enough users to birthday-paradox their way into a meaningful ID graph, so you're safe from that tiny ad startup that also happens to be threatening google's business model...