As I understand it, the attack here is that the user in question has an account on site A, and site A is able to share the user's cohort IDs with other websites and this allows the creation of a unique tracking profile across all websites over time
How so? That is really non-obvious to me. If site A associates user X with IDs 1,2, and 3 over three weeks, how does that help site B that only sees the IDs? When B sees ID 3, without any further unique identifier, they won't know that the same device came with ID 1 and 2 beforehand.
If site B also had an account and both sites would work together, they could simply compare the email address.
