I won't deny that something like Cloudflare's "WAF" is useful. My issue is with the number of false positives I've run into with Cloudflare over the years. And because they have a virtual monopoly, when they cock up, suddenly half the Internet is inaccessible to the people caught up in it.

Or look at it another way: Suppose I was running a website and experiencing issues with automated access (some of which may be entirely legitimate). I choose to use Cloudflare's services to mitigate the issue, and immediately see a - say - 10% drop in traffic. I wouldn't be able to tell whether half of those where legitimate users filtered out by CF, unless those people take initiative to inform me of the issue - and even then I'd have no way of even estimating the ratio of false positives.

At the very least, it'd the nice if site-owners took a more nuanced approach to their implementation of these kinds of services than just gatekeeping general site access. Allow all reads of data (if you don't want people to consume your data, putting it on the Internet was a bad move in the first place), but bot-protect all writes.

It doesn't work that well for that purpose imo. Look at 4chan.