I recently saw people try to implement pairwise IDs by following the provided crypto examples 1:1. I think we can provide better guidance on that. I discussed that with Tim McLean, who you probably remember from his security review on JWT libs two years back.
On example 1:
Calculate sub = SHA-256 ( sector_identifier || local_account_id || salt )
Instead of suggesting that people build their own PRF, we could point them to standard HMAC.
On example 2:
Calculate sub = AES-128 ( sector_identifier || local_account_id || salt )
Similarly, here we could point developers to the existing standard on AES encryption in SIV mode (RFC 5297), which offers deterministic authenticated encryption: