The issue is that a site that claims to point to a third-party app store will send a unique user ID to that store, enabling you to be tracked around the web.
Realistically, this is only a big problem if somebody big (Meta/Amazon/Alphabet/Microsoft or one of the big data brokers) figures out a way to add this code to the site through a tag (most people who particularly care about privacy online will have this blocked by default anyway) as changing source code directly on site is a much higher barrier to implementation than adding to a container tag.
This will probably be fixed sometime relatively soon - as much as I don't like Apple, I think they're generally pretty good at sorting this kind of thing so it's unlikely that any of the big players will put a lot of resources into making this a cross-site tracking vector. That being said, this might a fundamental issue of how Apple are forced to act under EU law so will be forced to remain a vector long-term at which point it will be worth it for the big tracking providers to set up tracking here.
To answer your questions, specifically about cross-site tracking:
1. Potentially at risk if the 3rd party app store wants to monetize this cross-site tracking avenue.
2. Potentially at risk if the 3rd party app store wants to monetize this cross-site tracking avenue.
3. Potentially at risk if the 3rd party app store wants to monetize this cross-site tracking avenue.
4. (Navigates to any website that points to a 3rd party app store that wants to monetize this cross-site tracking avenue) -> At risk
Fundamentally, if Google add a call to a "third party marketplace" that they own in their Google Analytics tag, then they will have functionally full cross-site tracking on anybody not blocking Google Tags.