What we have are “buckets” of Tor Browser users. We don’t know for sure how many users are in each “bucket” . We assume advanced scripts are not fooled by randomized values (the real value is still protected). We also assume advanced scripts and back-end servers to be able to fuzz not-so-stable-metrics (such as changing inner window dimensions, adblocking) to still link traffic - i.e some metrics are not very stable from a FPing perspective but they can help short term). So we expect everyone has a static fingerprint when it comes to advanced scripts. And we assume the worst.
Some things you cannot hide. Such as your OS, version, your OS architecture bits, available fonts (either you have it or not), that you are using Tor Browser and so on. And some things we cannot lie about because it is needed as is: e.g. if you need Arabic, then request pages in Arabic or it defeats the purpose, e.g. if your inner window’s viewport is a certain width and height we report that otherwise layout and other bits and bobs break. We still have defenses for these some of these: such as tightening secondary languages, snapping inner window viewports to set sizes, only shipping one of each locale such as en-US and not also en-GB, en-CA , limiting fonts and bundling some to make everyone (per OS) as similar as possible. We can’t lie about the timezone, but we can enforce everyone the same - but we have to actually use that one timezone.
And some things we can lie about - such as your hardwareConcurrency, or audio latency. We also lie about canvas - but totally randomizing it (and you can allow it per site for that session if you really need it: this does not compromise your fingerprint as it is only on that site, only for that Tor Browser session, it is only one metric albeit one that can yield good entropy, and for sites to link you all those sites need the exact same canvas tests - which is often not the case)
Anyway, long story short, all this means that not all Tor Browser users look the same - this is a phallacy. Tor Browser users instead should fit into as small a number of buckets overall as possible. The goal would be to get down to as little as e.g. 4 x OSes times 36 languages that we support times a dozen window startup sizes x 1 timezone x 1 version etc …
And we do that by eliminating or reducing the possible results or buckets per metric: a metric being something like your OS (windows, linux, mac or android), or your screen width, etc. We don’t mind if we split the protection between existing buckets, such as per OS, because you can’t hide that. Some we know work from testing and maths, and some we know because it’s hardcoded. And some we know need hardening.
The question is “how many overall buckets of users are there?” - and the answer is no-one knows, because to get that we would need a large real-world study of one test per profile/browser. This would give us a general idea of how many buckets and the spread of users. The spread matters, because not all buckets are equal - someone using english on windows 11 is going to be more prevalent than someone using tibetan on linux, for example.
But what we do know is that we have made it extremely hard for a Tor Browser user to stick out. With advanced scripts, the bigger the crowd, the better the protection. Imagine all those buckets from the large numbers of English-language users on Windows 11 with 1000x1000 res down the log thin tail to the less populated buckets such as Tibetan on Linux with 900 x 600 res - filled up with say 6 million Tor Browser users. Now imagine if we had 60 million users. Suddenly those small groups of users would be better protected as they have more users in their same bucket (i.e same fingerprint).
And of course, with Tor Browser, you are using the tor protocol, so your IP address (even as a fuzzy loose data point, such as using a VPN from company x, or from ISP y) is irrelevant. You are anonymous (until you tell someone)
Hope that answers your question