Also note that they allow for server side data as well so companies can send via backends and circumvent any ad blockers. Good companies do respect a users preferences but not all do.
Fingerprinting and tracking links are common for unindentified users. Cross domain cookies are harder to fo outside of chrome. For known users, you can sync data to Facebook with email addresses, names, phone numbers etc. This is likely why you see most websites these days trying to collect that info from you as early as possible.
You click on a tracking link, Server 1 now has a unique ID associated with that click. S1 forwards you to S2 with a unique identifier. S2 now has that unique ID associated with you. You buy something on S2. S2 sends a request to S1 saying "unique ID #123 bought something for $40".
Additionally, data brokers and data clean rooms now allow you to share data making it easier as well. Snowflake, liveramp, etc all offer super easy (and privacy compliant according to them) ways of implementing this.
I tried to request my data from a couple of meida companies, (criteo, apogee), criteo required a image of my drivers license, and Apogee just ignored it.
I am not 100% sure but I believe in the US, only California has an official data compliance law (CCPA). GDPR applies to some degree as well but I suspect that many businesses will only make a best effort until decent fines are handed out.
Facebook could probably just ask to send whatever you got about the user and they'll deal with the identification. User agent + IP is probably more than enough. Worst case they just build a JS that can be included and give the full fingerprint.