They could thought right? because if you login to a website (that's passed along an ID) then you would have that bit set.

I don't need to know for certain the account on the receiving side exists, just that I have signed in before with it. Facebook does this at least!

Like "has an account" isn't possible without leakage, but "has logged in through this flow before" (hell, stick timestamps in there too!) does.

One thought though: your SSO provider has that account list, but often prompts a re-login. So it could be that your SSO provider account picker _doesn't have access to your account information fully either_.