One feature NewPipe has is to import your list of subscribed channels, after you've exported the list from YouTube. So if a NewPipe install queried YouTube to "give me updates for the following channels", YT could "fingerprint" which account the channel list came from. And match the IP of these NewPipe requests to the IP of the account (since the GMail app would also be talking to Google from the phone), and Google can be certain it's the "abuser".

That's one possible vector...