Does anyone believe for a moment this is limited to just the one app? Everyone forgotten how tiktok got caught out hoovering up the clipboard when Apple updated their OS?
Haven't apps always been the way to circumvent privacy features offered by the (mobile) browser?
My take may be historically inaccurate, but I think Apple's app eco system is rooted in the limited capabilities of the iPhone browser, at the time. Apple only reluctantly allowed other companies to target the phone's guts and then much later discovered the app store revenue model they are now addicted to.
With modern browsers and Web apps, "native" apps have since become mostly obsolete. The perspective has shifted in that contemporary Android/iOS apps are no longer a kludge to work around browser capabilities, but instead a market place for selling user privacy to third parties.
Security comes in only when it's absolutely obvious that app developers are way-overstepping the boundaries of what the app is supposed to do. Like back grounding and monitoring the clipboard for no good reason whatsoever.
As an app developer I can tell that's nothing unusual, bc most of the attribution user linking happens (or happened) through clipboard.
When you used google/firebase deeplink[1] functionality it was copying a hash shortly before the deeplink, that was then pasted inside the app and could be used to link both web+app sessions together, which was really helpful.