The website is really a third party here, the browser is choosing to track users browser history and report a summary statistic on it to anyone who asks, there's nothing the website can do about that.
Chrome has promised to listen if websites say they don't want to be included in the browser history they calculate that statistic on, but it's all client side, there is nothing the website can actually do but request that they aren't included.
Nowhere in this document does it claim that a summary of your browser history is being sent to websites. It explains the actual process of how cohort IDs are generated and used.
I think the problem here is just one of language, a summary statistic is a number calculated from a set of data that gives you some idea of the contents of the data, but condenses it in a way that you can't reproduce the original data. Common examples for numeric data sets are things like mean, mode, median, standard deviation. Common examples for data sets consisting of a finite list of strings (such as browser history) would be things like average length, character frequency, count, etc. The cohort id generated is unambiguously such a summary statistic.
I think language could be an issue here, but the problem as I see it is that cohort ID doesn't contain even a summary of the data. It's really just a number.
The website or ad network is able to read those numbers and build profiles on them, but it's still divorced from the user and their specific data.
I think a better comparison is that of a hash. It sums up the data, but is just a unique identifier for it. Of course with a cohort ID it's non-unique (by design).
Because the browser is only sending a number, it retains the ability to change, randomize, or obscure that number. That's an important privacy consideration of the system.
For what it's worth, I do think more work is needed. One of Mozilla's suggestions which I liked was to automatically send a missing ID on occasion, just to keep things a little hazy and reduce fingerprinting viability.
Fingerprinting is inherently less-necessary as a result of FloC, and you need to balance it to not become necessary again, but it's a way to protect users that fully opt-out without themselves become fingerprintable.
Rather than the browser sending a summary of your history, it calculates a cohort ID. That ID is sent to websites, and the website then has the job of associating IDs with interests.
So instead of building a profile on specific users, the website (or ad network) builds profiles on cohort IDs. Users can change IDs, or mask theirs altogether if they wish.
We actually respected DNT at an ad tech company I worked at and people still gave us grief for "tracking" them. We literally just 200'd the request immediately for all DNT requests. No processing, no tracking, nothing.
Hilariously, I even opposed removing the code later because I wanted us to be a good citizen but it was practically dead code because people were still calling us evil. They could literally set their UA to play along (or use one that set it by default).
I think we always kept the code in but it only incurred cost and we got blamed anyway. I think, looking back, I should have just removed that piece of middleware since no user ever really cared. It wasn't worth it for the org to pay for code so I could have a clean conscience.
We tried 202 and 204 and both led some UAs to show broken image placeholders. But during the time we did that people assumed that we were tracking them just incompetently ("Look! They've revealed themselves!" style).
Maybe we tried some other codes but anything but 200 was unsafe to many UAs (you could 3xx but UAs would break on 304 too because the tracking pixel wasn't actually cached). Anything that led to UA breakage was verboten anyway on our side since we didn't want anyone to have a broken experience because they set DNT. That would have been bullshit.
We were dumb-enough to handle P3P headers too (which AFAIK no one really used in the end). Lots of dead code. Ugh.
I've seen people say dnt could be ignored because it's off by default in some configurations(safari), and user did not make a choice. Would be interesting to see what kind of mental gymnastics these people would apply here to ignore user's opinion.
Chrome has promised to listen if websites say they don't want to be included in the browser history they calculate that statistic on, but it's all client side, there is nothing the website can actually do but request that they aren't included.