I wasn't responding directly to Matrix's use of MAS. More generally I aimed to make the parent poster aware of a new technology that allows for private authentication, which they claimed was impossible.

Privacy Pass is currently being standardized by the IETF, so we may see more widespread adoption eventually: https://privacypass.github.io/

Just to make the claim clearer: it can't matter what the authentication mechanism is.

If a Privacy Pass token is needed for access to your email, then redeeming the token tells the service you (the client) can access your email. That's identified you.