Note that “tracking” is used in an intentionally misleading way here. Apple’s guidelines expressly permit all sorts of silent, invisible, no-opt-in tracking within apps, and most apps in the app store embed this sort of spyware.
The term “tracking” in this instance refers to GPS or contacts permission and other such things that Apple has built an opt-in switch for.
The maker of the app can send network requests, to themselves or any third party service they like, for every single action taken within the app: every launch, every click, every character typed, even every background refresh. They can include a unique tracking identifier to cross-reference these requests, they can further include any login/id information you’ve provided to the app, and they can include location information if the app has GPS permissions.
Even without GPS permission, IP geolocation provides them a rough track log, enough to say “user x was in california on monday, new york on tuesday, then new jersey for the remainder of the month”.
The way I read this (as well as their recently-postponed change regarding the advertising ID) is that they are explicitly tightening up the rules and will hopefully crack down on the behavior your describe (malware - aka the Facebook SDK - being embedded in every single app).
The term “tracking” in this instance refers to GPS or contacts permission and other such things that Apple has built an opt-in switch for.