> My argument was that drawing a distinction between a "site" and modules that are part of that "site" but are from other parties is dubious.
It is not only not dubious, it is in fact enshrined in law. I brought up the GDPR explicitly to highlight this. Specifically in the context of tracking and personal data, there is a distinction between the site I am visiting and the legal entity that is controlling it on one hand, and other entities that it contracts to achieve its purposes.
If your understanding of 'a website' includes all of the 3rd party trackers that it may be using, then the wording becomes obviously correct. I would venture though that this is not the common connotation of the phrase 'you may still be tracked by the website you are visiting', which I believe most people would take to mean more 'the origin server', i.e. 'I may still be tracked by the 1st party entity who owns the site I am directly visiting, but I will no longer be tracked by other parties'.
In fact, by your definition of 'the site I am visiting' , incognito mode offers no more tracking protection than regular browsing, as I can never be tracked by anything but the site I am visiting, including Google analytics, Facebook, and any other ad networks that they chose to use; I am never tracked by any site that I am not currently visiting, obviously.
Another commenter said that this wording implies that it DOES prevent Google Analytics, since it is not part of the site.
My argument was that drawing a distinction between a "site" and modules that are part of that "site" but are from other parties is dubious.