Apple's "iCloud Keychain" API lets Facebook and other apps track you across multiple devices and even device resets, because it's tied to your iCloud account. There's no way for a user to see or delete that secret data, except asking and trusting those apps to delete it.

This "exploit" has been there for years.

I only ever used throwaway accounts on Facebook, just to access some services that were only accessible via FB. At some point FB banned my account. I created a new one on the browser. Worked fine. When I signed into that account on my iPhone: instant ban. Delete FB app on iPhone, reinstall FB, try new account, same thing. Try a new iPhone, same iCloud account, new FB account: instant ban again.

They can not only track you across app reinstalls, device resets, but also across multiple devices. And Apple facilitates it.