Your browser (probably) allows the use of cookies; however a website which doesn't ask the user for appropriate permission is still in breach of the law.

Isn't it down to the app developers though whether they allow the ID to be used to serve ads in their app (whether or not in practice there's a mechanism to do that, it's the app developer that's essentially choosing to use it by implementing ad networks and SDKs that use it, not Apple forcing it on them).

It’s not Apple doing the tracking. The knife manufacturer is not reaponsible if you stab someone.