@kdenhartog noted in #262 (comment):

If I remember correctly, the framing that's been used within the verifiable credentials use cases note is whether the claims are 3P attested or self attested and whether the claims are identity based claims or non-identity based claims. This is likely something worth referencing and pointing to as an indication of how the specific claims being shared can impact the privacy model.

For example, if someone is just sharing self attested claims to speed up the process of filling out a form that's really not a big issue. This is basically the standard model used by web app forms today that allows for the user to falsify information to generate a pseudonym as they choose.

The Devices section of the note also indicates how the API may be used for non-identity based claims (albeit these specific claims likely do introduce fingerprinting risks, but we can ignore that for the high level distinction).

That seems to be a valid use case here to for this API IMO.

We should probably look into incorporating this into the Spectrum of Privacy or "unnecessary use" sections