I've been using ublock origin for the longest time. Set it up in advanced mode and block all 3rd party domains by default. I know it can block individual line items during the js interpretation stage based on matches to plugins like anti-malware scripts. I tend to whitelist some domains I trust on all domains and I'll even blacklist some domains I don't ever trust on other domains (like facebook and anything with px in the name).

Ultimately - the more protection you put in place, the more likely you will stand out to fingerprinting. They don't give a shit about user agent descriptions. They look at things like how does your browser render a semi-transparent pixel when aliased ontop of something else. What HTML5 Canvas features does your browser support. Attempt to run this list of scripts and see which ones fail. All of that helps make a non-unique print of your browser that hints at an identity even without your Windows Device ID.

I wish tools like ad-block would allow everything to render download in the background but just block things like ads from rendering. That would prevent ad block detectors from knowing they are being blocked,

A lot of the Javascript attributes used for fingerprinting are used to decide WHAT to render and to cache settings so things work smoothly the next time you come back.

For example, the amount of RAM, your WebGL settings and version, presence of audio, mic, and camera, and screen dimensions are all relevant to a game, a browser-based video-conferencing app, or WebASM based tools like Figma.

And unless you want an app to do a full check each time it returns to foreground, it will likely cache those settings in a local store so it can quickly look it up.

If the app needs to send some of this data to the cloud so the server changes what it sends up, they now also have your IP address, rough reverse IP coordinates via ISP, and time. You can use VPN or Tor to obfuscate IP addresses, but you have to remember to turn that on each time you use the app, and in the case of VPN, to disconnect/reconnect to a random server to semi-randomize your IP (or use Tor, which does this for you).

But to answer the first question, changing or disabling those settings could break a bunch of features, especially Single-Page Applications, those using embedded analytics, or any amount of on-device graphics.

What is meant by "sensitive information" here? Browsers can't just willy-nilly access your local files or something like that. The one thing I can think of is using JavaScript to collect information that can be used to identify you. (Is that "sensitive"? I'd put that in "identifying information".) My honest suggestion is to keep using NoScript and just allow as few domains as possible. The next best option is to stop using websites that break without JavaScript when there's no reason why they'd need it.

I can imagine there being a plugin that spoofs some common ways that allow sites to identify you cross-sessions / browser / websites without your consent, but blocking JavaScript (by default) is likely one of the best ways to reduce the amount of information collected about you. When you do find such a plugin, check out one of the "browser fingerprint" testing sites to see how unique your fingerprint is.

(That is, if I even understood the request properly in regards to the "sensitive information" bit.)

Not afaik. You either allow it or not. Doing so selectively would require a lot more knowledge than I have.

As a workaround however, running a VM and using your browser from within that would seem like a decent-ish way to obtain similar results with minimal effort. You can use the hypervisor to set whatever limits you require.