You're right that this assumes an account. The way that cross device/browser identification works in IPA is that if you are logged into example.com (though realistically, often Facebook) then it can set a "match key" which is the same on device and browser. You can't read the match key, only write it. This match key is used to link up activities on both. The point of the crypto is to rerandomize the match key that appears in the reports so that it is possible two see that two actions are from the same device but not link that back up to the original match key. Note that in this proposal, the assumption is that anyone would be able to use anyone else's match key (addressed by origin) so that it's not a big advantage to be the site with the account.

Re whether this is a regression or not: I am not an expert on how the current attribution mechanism works but I believe that if people are logged into (for instance) Facebook then Facebook can use that to correlate clicks on device A with purchases on device B.