> So for example a web site you connect to has no idea what your MAC address is.

...unless you (or the app you're running) tells it.

Exactly.

Well, I'd disagree with the first statement having worked with IPX/SPX ;-)

But, yeah, you're not wrong for IP networking - however, an app on the phone could forward the MAC address of the bluetooth connected device.

Regular apps can't typically access the MAC address of the connected device. Additionally, with BLE (& Bluetooth 5?) the MAC address is required to rotate regularly as part of the spec (IIRC even while connected but certainly the broadcast address).

BLE has a privacy feature that enables MAC address rotation, but it isn't a requirement. Apple products and Android phones use the privacy feature, but other than that most products don't. The possibility of tracking someone via the MAC address of their Bluetooth devices is very real.

But you are correct that regular apps can't address the MAC address of connected Bluetooth devices, so the tracking vulnerability that OP is suggesting isn't really possible.

Bluetooth uses MAC addresses too, so this still applies.

And no one farther than 30 feet from you will see your Bluetooth hardware address.

Yeah, but someone in your home might have a rogue phone app installed (or not even that, I bet companies like Xiaomi already so this with their smart home stuff) that scans bluetooth devices and sends the addresses so that they can be data mined.