A PWA has lots and lots of issues regarding trackability. start_url is just a very minor part of that. An application that is actually a weird website will be able to track you, there will be Javascript with tons and tons of attack surface for this.
If you don't want tracking, use proper local applications and deny them network access.
This smells like a story Apple shopped out to keep defending their 30 percent racketeering operation. PWAs are better than native apps for privacy and security in almost every single way.
Then you are just pushing where the uuid is stored up stream another step.
In order to refetch the manifest you will have to remember it’s location. Just use /<uuid>/manifest.json as the manifest location and have the server inject that into manifest file when fetched.
If you don't want tracking, use proper local applications and deny them network access.