See https://varun.ch/history for the shape of the attack that I'm thinking about. That specific attack has an expiration date now that browsers seem likely to partition :visited. However, Protected Audience specifically creates cross-origin signals that might be exploited in a similar way.