

Yup. Entirely possible. Blocking third party cookies might somewhat reduce sites’ ability to tell that you’re the same you on the same browser between VPN and direct connection, but even that isn’t any guarantee that Linkedin (and/or the ad providers Linkedin uses) and Spotify (and/or their ad providers) don’t know you’re the same user between VPN and direct. And if there’s some amount of collusion and/or purchase of user tracking info going on between those entities, even only first-party cookies are sufficient for them to be able to prove the link between your direct and VPN IP addresses. Even without any cookies, though, there are still browser fingerprinting techniques that are worth looking into if you want to know more about defeating that sort of tracking.
Wait, “everything?” Yeah, that’s probably contraindicated. You don’t want to be changing ownership of stuff in, say, /etc or /bin or whatever to your user. For the most part, stuff in those locations should be owned by root:root. If there are exceptions (things that should be owned by root:<something else>), the package manager will make sure they’re set as they should be.