There are several details of the set validation process that are left out at this point. Since the spec recently converted away from leaving this to a trusted-third party (the IEE), it is worth diving into what replaces it.

Currently First Party Sets relies on a “public submission process (like a GitHub repository)” to validate and approve sets. Here are some gray areas I see in abuse mitigation measures that I am curious about:

• Would the list of sets be per-browser or would it be common to FPS-supporting browsers?
• Who has the ability to add sets to the list?
• Who handles reports of invalid sets?
• How are the definitions of “ownership” and “affiliation with the set primary is clearly presented to users” managed?
• Will there be moderation of the public process? If so, who maintains it?

Since the submission process is trusted to manage the privacy model exceptions this proposal creates, I think it is important to consider in more detail.