On top of that: whenever DNF (or other high-level package management tools) refresh metadata, the request for mirrorlist information goes to Fedora mirrormanager servers, and to the servers for other repos you may have enabled. By default, DNF does these refreshes in the background without interaction.
This doesn’t allow us to track which packages are installed, but it does give us some information simply intrinsic to the request. We probably have other software that does similar things — I don’t know offhand how Flatpak works in this regard, for example. There are likely other programs which include network activity (possibly to some third party) as part of their normal functions, or which like Firefox have intentional data collection enabled.
I have said earlier somewhere in all of this that Fedora has never tried to really make a privacy-focused distribution. It doesn’t mean that we don’t care about privacy — we absolutely do! We’ve never drawn a really hard line, though. Such a line would come with compromise for users, developers, and our support and quality teams. I don’t think we are likely to take an overall extremist stance. But, we’ve got room to explore — and there is certainly room to make things better. I encourage people who are interested in Fedora taking a more privacy-intentional tack to help work on it.