This is an egregious violation of privacy of the unsuspecting Chrome user who conducts their business while signed in to Chrome.
To make things worse, couple of years ago, Chrome started mingling Chrome Sync and cookies for accounts.google.com which meant that signing into Chrome Sync also automatically signed you into all of Google services. The cookies reappear even if you delete them, just because you are signed into Chrome Sync. Now, that same identity (<you>@gmail.com) is not just used for Google's own websites, but also made available to anyone who uses Google Analytics - which is 90% of the web - including your cross-domain and cross-device history. Of course, none of this is new, but I shudder every time at the thought of how much information the user is giving away about themselves.
In GA4, with Google Signals enabled, the "identity signal" is a psuedonymous identifier unique to your Google Account. I don't know exactly if it's a hash or a join key or what, but the point is it's stable across devices and domains.
It does not directly contain PII. Google can join it to PII, website owners cannot.
It is not aggregate. You can pull the hit-level data from GA, including the identifiers being used.
"...conflating the aggregate anonymized data in GA with the user level visibility Google has into the raw data?"
Isn't that kind of the point? I see no difference. Who cares what individual site owners happen to be able to see if Google is going to monitor, track, send back (telemeter?) way more data and be able to analyze and store it forever?
It's all about who might possibly get the data at a later date than who happens to house it presently.
EDIT: In fact, come to think of it, why are there two things being 'conflated' here? Why is Google collecting more information about Google Analytics-using sites than it's exposing to site owners?
To make things worse, couple of years ago, Chrome started mingling Chrome Sync and cookies for accounts.google.com which meant that signing into Chrome Sync also automatically signed you into all of Google services. The cookies reappear even if you delete them, just because you are signed into Chrome Sync. Now, that same identity (<you>@gmail.com) is not just used for Google's own websites, but also made available to anyone who uses Google Analytics - which is 90% of the web - including your cross-domain and cross-device history. Of course, none of this is new, but I shudder every time at the thought of how much information the user is giving away about themselves.