Re: So what is to stop the user ...
I don't see in the WebKit writeup where it says the IDs are limited to 0-63. What it says is that campaign ID is limited to 6 bits. However, I also don't see a mention of an advertising ID at all, so I'm not sure where I got that from.
In any case, the ID isn't why I consider it insufficient. I consider it insufficient for a number of other reasons, including the dependency on tracking pixels. The whole scheme also relies on trusting the websites and (to a lesser extent) ad agencies to play fair.
I'm not saying that the scheme is bad at all. I'm just saying that it is not as protective as my current methods are.