I am not able to construct a situation whereby someone might tell their browser to pretend to do Protected Audience in a way that sites cannot detect.

Is there some discussion about how this might be achieved? Or maybe something close to an undetectable opt out, like one that provides differential privacy?

For instance, if you pretend to accept markings, but throw them away, that is detectable. I assume that a site can add many interest groups and then query for their presence arbitrarily. If you partition them by top-level site, that is detectable if a site is willing to create a second site.

The partitioning approach is appealing, but it also has some pretty interesting implications when it comes to limits. You can't enforce global limits or that breaks the partitioning (hello, tracking).

Does removal of the auction failure leakage (and negative targeting) address this? I don't think that it does until you close off all of the other auction result leakage vectors.