Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

Adtech relies on the OpenRTB 2.5/2.6 spec for tracking, you would have removed 1 identifier out of a hundred (one that isn't really used anyway given SSAI is so popular). In addition to that, cookie expiry timers are typically set to 365 days meaning you're VPN would need to enabled at all times to not invalidate multi-hop. WebStorage API based trackers tend to be indefinite.

ORTB spec: https://www.iab.com/wp-content/uploads/2016/03/OpenRTB-API-Specification-Version-2-5-FINAL.pdf

EDIT: If anyone is looking for more specifics about WHY IP addresses and multi-hop don't matter, the spec includes a mention:

BEST PRACTICE: Proper device IP detection in mobile is not straightforward. Typically it involves starting at the left of the x-forwarded-for header, skipping private carrier networks (e.g., 10.x.x.x or 192.x.x.x), and possibly scanning for known carrier IP ranges. Exchanges are urged to research and implement this feature carefully when presenting device IP values to bidders.

The issue is that mobile is so prevalent and mobile networks rely so extensively on CG-NAT that even with XFF headers, there's no good way to tell if you are going to get an IP address that actually matters. You could potentially put in a lot of auction time trying to figure that out and still just end up with a private address that's unusable. So, aside from the devicetype and the geo object which is used for geo targets and fencing, the device object isn't useful in tracking. Instead adtech uses the user object. This object should contain all your GDPR specifics, any EIDs, 1st party cookie IDs, etc. Even if those change, there usually exists backend mapping that allows for vendors to correlate different user IDs as being the same user ultimately.