If you are within BLE range you can "track" someone, but that is already the case with wifi/bluetooth in general.
Even known the public key, you can download the encrypted reports from Apple, but since you don't have the private key you can't decrypt the location messages.
That's why devices that aren't intended to be beacons are supposed to enable address randomization. It still has some security issues and undirected advertising of unique public keys obviously defeats the point, but it's more difficult to track than classic devices were.
Even known the public key, you can download the encrypted reports from Apple, but since you don't have the private key you can't decrypt the location messages.