There is no device ID, only ones tied to a user login on a phone, and the app must request a permission to get it. You can, for example, know that the user ID (which you obviously also need to have a permission to retrieve), is being used on the same device as was used to access your service in the past. Or you can know that this particular otherwise-anonymous user/device combination is being used again. I'm pretty sure that's likewise possible on iOS, but folks can chime in.

And of course there are guidelines that disallow most of the abuse scenarios I suspect people want to imagine: https://developer.android.com/identity/user-data-ids

Not familiar with how Android does it anymore, but sounds fairly similar to iOS.

The main difference is it's opt in on iOS, but opt out on Android I believe.

On iOS, when the app pops up and asks to track, if the user says no, the app can't access the system advertising ID at all, and also is not permitted to track activity via other means like email address, user ID, etc (but the only thing that's technologically enforced is the system advertising ID, it's only forbidden by policy to not use other tracking methods).

Given the huge fit Meta threw after Apple implemented this, while they were silent about Android, I'm inclined to believe Apple's method has more of a privacy impact.

Also worth noting Google is hoping to move away from device-level advertising IDs with their "privacy sandbox" thing.