We're spoiled in the desktop browser by being able to clear history, cookies, local storage etc, or use a private browser session. There's also the importance of the "same origin policy".
The Android platform API should simply never allow apps to obtain global system identifiers (serial numbers, "advertising IDs", MACs, Wifi network info, EMEIs etc) in the first place. Perhaps even going as far as not providing a shared filesystem.
Mobile apps, despite platform API permission, and having some ability to protect their own data, are a lot closer to desktop programs than web apps in many regards.
While you make good points about mobile apps, don't be too spoiled by the privacy offered by destop browsers. Because of their configuration and various APIs, they're almost as easy to fingerprint as mobile devices with advertising IDs.
EFF has had a proof of concept online for quite a while https://panopticlick.eff.org/
And HN users are probably even more vulnerable since we will have customized our software making it stand out.
Do you have a recommended setup to tackle fingerprinting?
I'm using a VPN + ublock origin + https everywhere + temporary containers + don't track me google + chameleon + canvas blocker + custom user.js (that disables e.g. webgl).
It's pretty good to address many tracking methods (e.g. cookies, IP) but fingerprinting is remarkably hard to prevent.
Disabling Javascript kills fingerprinting in the womb. Enable only for trusted sites as needed.
If you are a web developer or are familiar with web terminology like origins, domains, frames, XHR, etc on the web, and are willing to put in some time learning how to use it (15 mins for a seasoned web dev, maybe 30-60 mins otherwise) get uMatrix (https://github.com/gorhill/uMatrix). It will change your life! If not, use ScriptBlock on Chrome or NoScript on Firefox. Block all scripts (and if using uMatrix, cookies, XHR, and frames) by default and whitelist as you go for sites you trust (or want to use bad enough to potentially open yourself up for tracking).