It does sound fantastical. A piece of code that can violate the same origin policy would be a huge vulnerability. Meta could be working with other sites to share data on users via code running on both sites, but snooping on tax data without the IRS helping? Unlikely.
I can only assume they're suggesting that companies like Intuit and H&R Block are sharing this data with Meta, but that seems like a huge violation of privacy and with tax data it might even be illegal.
Basically, they created a channel between the browser and a localhost webserver running in their native apps, by abusing the ability to set arbitrary metadata on WebRTC connections. That way, they were able to exfiltrate tracking cookies out of the browser's sandbox to the native app, where they could be associated with your logged-in user identity.
You are implying Meta and others were able to just siphon data from any website via WebRTC using their native apps, but this was not the case. They were only able to track which websites you visited if that website already embedded the company tracking. Many websites do, but not all.
I can only assume they're suggesting that companies like Intuit and H&R Block are sharing this data with Meta, but that seems like a huge violation of privacy and with tax data it might even be illegal.