A set of 4 hints (`dpr`, `width`, `viewport-width`, and `device-memory`) have a default allowlist of `self` but behave as though they have a default allowlist of `*` on Android. The default allowlist of `*` goes against the Client Hints Infrastructure standard; fixing this will increase privacy on Android by requiring explicit delegation of these hints.
One residue of the rapid Client Hints Infrastructure iteration is the concept of a `legacy` client hint. It’s a set of 4 hints (`dpr`, `width`, `viewport-width`, and `device-memory`) which have a default allowlist of `self` (meaning that they are not sent to third-party subresources unless delegated via Permissions Policy) but behave as though they have a default allowlist of `*` (meaning they are sent to third-party subresources as long as the first-party page requests them) on Android.