I wonder how does the telemetry they gather from the users of their app (“The Threads app can collect data related to your health, financial information, contact information, browsing history, location and purchases, among other things.”) affect users who interact from other instances (for example some mastodon instance) with thread users posts/replies.

If they really wanted to, they can make it work. Maybe add spyware through a security hole in Lemmy no one’s discovered yet. And since instances are federated, they just spread the disease to one another and it’s users. Anything is possible. If a human made it, it can be broken.

One thing I’ve learned thus far is to never trust a platform/software owner that has a financial interest. RHEL is also a perfect example of that. The latest changes basically do exactly what MS did 20+ years ago when FOSS and open source was at it’s infancy - shared source. It’s a company that deals with FOSS software for more than 25 years, yet they decided to do this. After you see things like this, you really start to reevaluate things. Many people are scared to donate code to companies now, that’s why projects like Arch and Void thrive nowadays. People finally said “f it, I’m not contributing code to a company that might wanna sell that some day, better donate it to community projects”.

Mastodon for example, the instance owner/maintainer has the following extra information on users of their instance: “IP addresses, email, when they connect, what toots they browse and when”.

That’s perfectly normal, Lemmy admins have that info as well. Forums also have that info… you can’t hide everything, that’s nuts, you at least have to have an IP to browse the internet.

So this information is not available to Meta, if you are interacting with threads user for example from a mastodon instance that is federating with the threads instance.

Well, kinda, but not exactly. In order for a post or a comment to be saved on Lemmy (and I presume the same is true for Mastodon), 2 copies of the post are made. One resides on your instance (that’s called the original) and the other is saved on the instance on which the community you posted in resides (that’s the copy). Both copies share the same info, date, time, username, post content, original instance (the one you’ve got your account on), etc. Even if the IP is only available on the user’s instance, that still gives meta (or anyone else) a lot of info to manipulate with. They know my username, post content, date and time of post. That info can easily be exploited by people who know what they’re doing. As I said previously, all it would take is a piece of malware that could grab data from the instance’s database and send that to Meta, or whoever. People think that this is really hard, it actually isn’t, coders do stuff like this for fun every day.

I’m not seeing how they are getting extra information on you as they can collect all the metadata and your mastodon behaviour already by just creating another anonymous mastodon instance that gets federated with other mastodon instances and then collect the data that can be gathered across the instances. Or maybe you can even scrape the data from mastodon without running an instance even? I’m just trying to learn as I go and my information may be wrong. Please anyone correct/fix if there are mistakes here and inform me more thanks :)

They could do that, but with thousand of instances in the fediverse, that’s just not viable. Even if you do it only to the larger instances, you still have to automate the process, which can get tricky if you don’t actually use the fediverse’es biggest downfall (and it’s biggest strenth at the same time) - everyone is connected to everyone else. Sure federation is clanky ATM, but that will pass. Eventually, everyone will in fact be connected to everyone else. It’s a lot easier to spread malware that way.