it could be the case that one of the linked lemmy instances uses that and lemmy retrieves its data to show what this linked lemmy instance has posted

Do you have the network request?

If you opened any images or embedded links on the Lemmy page, that could be why, since that would directly load the image or embed source. It could also be that another instance is hosting their images (which would include the thumbnails for their posts) on a CDN. The Lemmy web client isn’t supposed to load any core assets or send XHRs to anywhere beyond the host by default, unless the instance admin specially configured it that way (which isn’t the case on lemmy.ml).

As for your privacy question, I think at most it would send a referrer that contains the URL of the page that made the request, which can be scrubbed from the request with a browser extension. It would obviously also send your browser’s standard request headers and your IP address, same as any HTTP request. I could be wrong, but I don’t think an XHR or static file load would be able to see, for example, cookies or local storage belonging to the parent site unless the parent site let it?

EDIT: Actually as I was typing this, I saw your comment about OSCP, that might also be it, but the above was what I immediately thought of. If it is OSCP though, I don’t know if what I said about the privacy implications would apply, but I imagine it would also not give any information about what page you’re on, just the domain.

A reputable and trustworthy VPN would probably mitigate this. Presumably the request isn’t executing a script, so it can’t fingerprint your browser, so assuming your user agent string isn’t too unique, just hiding your IP address should thwart any tracking they might be doing.