I like the second part of your answer. Indeed, if you wanted something like a way to id bad actors, you could do some scheme where the OS (or browser or even secondary service) could do some form of attestation that isn't trackable and has even stronger guarantees than some unauthenticated unique id has. If Apple and Google can make their Corona Tracking APIs untrackable by third parties, then untrackable "valid device" APIs should be possible and feasible as well.
But you cannot make this my problem by saying "let me spy on you. or your shit gets more expensive, or sites have to close". That sounds too much like "an offer you cannot refuse". I will not surrender my privacy for failed business models.
The coronavirus exposure notifications are only "safe" because we assume no single actor can put Bluetooth receivers every square meter, thus rotating the IDs every so often is an effective defense against potential tracking.
The same couldn't work with the internet because essentially every ID would be known to potential bad actors, as they'd be tracking every single one of them (among other data points) and can easily defeat the rotation of those IDs based on other data points which don't change.
But you cannot make this my problem by saying "let me spy on you. or your shit gets more expensive, or sites have to close". That sounds too much like "an offer you cannot refuse". I will not surrender my privacy for failed business models.