Web pages are not allowed to list your extensions. They can indirectly surmise you have certain extensions based on how your requests differ from expectations. For example, if they have advertisements, but your browser never actually makes any requests to load the images, CSS, JS or HTML for the advertisements, they can deduce you have an ad-blocker. That’s a datapoint they now have to ID you: “has an ad-blocker”

Now let’s say they have an ad they know AdBlockPlus allows, but uBlock Origin doesn’t. They see your browser doesn’t load that ad. Another datapoint: “Not using AdBlockPlus”.

Based on what requests go back and forth between your browser and their servers, they map out a unique fingerprint.

Now you visit another site, and lo and behold, all the same quirks are found. Tada, they now say “hm, probably the same browser,” and start personalizing content. Site use an ad network, so it’s the common denominator, not the sites you visit. The ad networks do the between-sites tracking.

also, VPN does diddly squat when you login to some service like google, facebook, xitter, amazon, outlook, reddit, etc. You logged in as you. They don’t give a shit you’re logging in from another IP. And if the sites are working with the same ad network, if you’ve ever logged in from your real IP even once, they they just add another datapoint about you: “Sometimes uses a VPN” and that gets tucked away in your permanent record.

nothing you do online is private. I’m not saying “give up” but it’s pretty bleak and I don’t see it getting better anytime soon.

only in theory. in reality, only one person would ever buy it then re-release the source code for free-as-in-beer. unless you’re talking about something other than GPL2/3.