Anonimity of Bluetooth tokens

In the context of contact tracing, I have a privacy question.

I have read a few (and “few” is already a bad thing) articles about Bluetooth contact tracing, especially in the context of the Sars-Cov2 pandemic. There are huge privacy concerns in contact tracing.

One solution proposed by reasearchers is to use “changing” device identifiers in order to prevent authorities from tracing an individual’s location history by the usage of beacons in public places or analysis of traces from other devices. The topic is particularly hot in the European Union.

Only question here: regardless of the randomization of the device ID transmitted via Bluetooth, is it already possible to listen for Bluetooth MAC addresses to identify a single device?

Example scenario: in a world where smartphone owners are encouraged to use a legitimate government-powered app (supposed that the government is democratic), a rogue vendor with a large market rate may push a malicious Bleutooth app into their consumer’s phones (a large user base who just clicks on “accept” anything). The malicious app continuosuly scans for Bluetooth MAC identifiers to report home. The addresses are potentially georeferenced. Deanonimyzation might occur.

So far, I have always learned to keep my Bluetooth invisible while I don’t need it and possibly turned off to save battery.

A country or continent-wide contact tracing scheme might be a good excuse to keep Bluetooth on and available for scan.

Question is: what am I getting wrong?