web browser – Facebook retargeting pixel

Given a commercial website buy.com and a user with a Facebook account in facebook.com, the user has third-party cookies disabled in the browser.

If a user is logged in their Facebook account and visits facebook.com, Facebook can set first-party cookies for facebook.com

Now the user visits buy.com, the site uses a web beacon with an <img> tag with src pointing to a facebook.com URL.

Can the user can still be tracked and a retargeting campaign can happen without consent?

Assumption is that the request from the <img> tag on the buy.com site, sends info about the visit on the URL and is able to trace it back to the original user thanks to the first-party cookies that were set by the visit to Facebook and get resent on the request for the web beacon even from a different domain. Is that correct?