Currently federated identity providers do not provide a separate identity to each site you are authenticated on. At that point any collaborating sites can pull together all the information you give to any one of them. Hell, in most cases your "identity" is your email address, so every site you authenticate with can spam you directly.
The Shibboleth Idp also support per SP opaque nameID but nobody like SAML based protocol and as far as I know outside the academical identity federations, no one deploys Shibboleth ...
Shibboleth is terrible -- so terrible it was easier for me to write my own SAML IdP from the specification than try to make it useful. Lots of people use Active Directory Federated Services (ADFS), which has a SAML IdP.
"Trust tokens" was built to deal with these issues just for this use case: https://developer.chrome.com/docs/privacy-sandbox/trust-toke...