Multiple pubkeys might be connected to each other via cookies.
Also some more information on browser fingerprinting https://developer.mozilla.org/en-US/docs/Glossary/Fingerprinting, and there is mobile device fingerprinting, too.
If you just connect I can see your IP, origin and user-agent in the logs:
Jul 23 21:33:35
Jul 23 21:33:35
If you post or try to post evens I will also get your npub.
So if you want to never establish a connection between your IP and your npub, you have to use Tor or VPN every time you send an event.
BTW this is just out of the box in the logs and the database. Bad relay can probably try to prod your device even further.
Discussion
I'm not sure if this is applicable on the relay level. A bad/poisoned App or Website can do so much more than a relay. I would be more worried about cookies and fingerprinting there.
Cookies are working with websockets (http handshake), too. Accept-Language header is also sent.
You are right. Bad relays can definitely collect more and do more harm.
Interesting, so it comes down to trusting good relays and avoiding bad ones? What do you look for in a good relay and what do you avoid to stay away from the bad?
That is really hard to say. I would assume that someone will eventually find out that the relay is probing you and requesting more than they need to, but there are no obvious red flags.