That walled garden still appears to have major holes in its fences, as shown by the Facebook SDK having infected every single mainstream app for the sole purpose of stalking the user in the background (over time Facebook can correlate the traffic by date/time, IP address, device type, etc and link different instances of the SDK together).
Yes, but this what the feature is aiming to address. Apps that use the Facebook SDK will have to ask for permission to track the user and if the user says no they shouldn't intialize the Facebook SDK, at least not the parts that relate to ad analytics and tracking.
It seems to me that this feature only restricts access to the IDFA/Advertising ID. It does not prevent the app from loading a piece of malware that uses other means (device & network fingerprinting) to stalk you regardless of the availability of the IDFA.
Apple have been very clear about you being responsible for the SDKs you use and while the technical limitations are only about IDFA Apple have also stated that other methods of fingerprinting are not allowed when the user asked not to be tracked. Thus, App A that uses SDK B can be banned from the App Store if the user asked not to be tracked but B still tracks using something like fingerprinting.
