Roku and Apple send Facebook, and anyone else that cares the pay, the information on what you are streaming, along with your IP and whatever else they care to send. Facebook then uses that information to send an ad to you.
Exactly wrong. It's not the device-side that's selling out your privacy at all.
- --User points his media player (e.g. Roku) at some streaming service (e.g. A&E). As a result, A&E knows the IP address that is requesting streaming video.
- --Streaming service shares data with some other party (e.g. Facebook, Twitter) using this IP as an identifier
- --Other party correlates those IPs with the IPs making requests against its services and makes decisions (e.g. ads) based on that.
It is a fundamental part of the design of the internet (as it exists today) that two different service providers can cross-correlate requests based on a semi-stable* identifier (IP) if they chose to share data. There's literally nothing the client application can do to remedy this, it's in the network-layer. You can try to fix this at the network layer with some multi-VPN setup (not just a VPN, one that assigns a different external IP to each outgoing request) but that's sort of not how the internet was designed to work. The internet was designed to be sort-of pseudonymous, but it was not designed with true anonymity (in the sense of having no identifiers) in mind.
If you want a meatspace analogy, this is like two different dead-tree newspapers comparing their subscribers for home addresses. You want the newspapers to end up on your driveway in the morning, so you either have to give them your home address or use a different PO Box for each newspaper (which seems expensive).
[*] Yes, IPs are not really stable identifiers. But within the timespan of a few hours/days, it's good enough to get a few extra ad views. In other words, the downside of using a stale/incorrect identifier here (multiple parties on the same IP, router rebooted and got a new DHCP) is pretty low -- they show an irrelevant ad to those folks.