I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.
To lift examples from the slides, that includes page titles:
"CorrelationGuid": "7da62b73-082f-4eb2-a370-135d0113e1dd",
"EventInfo.Level": 2,
"PageTitle": "SiSyPHuS AFUNKT - Search",
"TabId": 830425073,
"client_id": -7497793556371901000,
"pop_sample": 100,
"utc_flags": 140737488355328
The transitions between pages: "IsSameDocumentNavigation": 0,
"client_id": -7497793556371901000,
"navigationUrl": "https://www.bsi.bund.de/DE/Service-
Navi/Publikationen/Studien/SiSyPHuS_Win10/AFUNKT/SiSyPHuS_AFUNKT_node.html",
"referUrl": "https://www.bing.com/",
"HttpStatusCode": 200,
And even which link you clicked in the page: "DOMElementPath": "A|1||c-link%20c-link--download%20FTpdf;P|5[…]gsb%20lang-de%20fixed%20js-on;HTML|1||",
"DOMAnchorHrefUrl": "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/AFUNKT.pdf?__blob=publicationFile&v=6",
[0] https://troopers.de/troopers23/talks/bsabut/You can also use the Windows Diagnostic Viewer to check the telemetry data being shipped to Microsoft. I'd be willing to bet that you could use Edge (with defaults) and see the URLs being sent to Microsoft but nothing would come from Brave, Firefox, Chrome etc.
I imagine it's not too difficult to narrow down the potential suspects with how much data points you'd get from ISP, Windows telemetry, and whatever.
Reminds me of Google Safebrowsing.