k-anonymity here is intended, I believe, to provide the protection that an ad can't be microtargeted to an individual or very small group. That is, a company can't tag a customer by name/identifier, and then send ads to them elsewhere of the style "Nick Doty, don't you want to buy this item that you had in your cart?" (The privacy protection would of course also apply to ads that don't reveal in their content that they are microtargeted, but that can use that identifier information to learn something about any user that clicks on the ad.)

https://github.com/WICG/turtledove/blob/main/FLEDGE_k_anonymity_server.md proposes using private state tokens (privacy pass tokens) where the blind signature confirms that each user has a Google account.

Does this provide much protection? If an attacker controls more than k accounts (50, for example, not a large burden), then they can remove the protection altogether for n users. I'm not sure what order of magnitude n is, but it seems to be much, much larger than 1, since it's at least the number of interest groups that any valid user can join.

Does the protection apply a minimum number of ads that won auctions and are shown to users? Or just the number of users in the interest group before the interest group can be used in an auction? It seems like the latter, which makes the attack cheaper; the attacker doesn't have to pay to show k ads in order to display it to the targeted individual (an attack that will seemingly always be possible even if the k-anon guarantee is kept).