They are almost all are protected by access-control-allow-origin headers and magic prefixes on JSON responses that prevent JSON hijacking and other nasty attacks.
I'm not sure there is a good reason not to be pre-fixing this JSON; the nice thing is that the Facebook preferred prefix ;) produces an invalid UTF-16BE character, so would prevent the attack.
This is limited in that you need to be checking against a known list of users, rather than just being able to determine the users identity automatically. However, anyone affected by the Cambridge Analytica data situation whose data is already known, they would now be able to be identified and tracked across websites even without using any Facebook APIs.
A final example might be anyone on a corporate IP address or network, where the list of users is probably fair easy to harvest and is fairly finite.