I won't deny that something like Cloudflare's "WAF" is useful. My issue is with the number of false positives I've run into with Cloudflare over the years. And because they have a virtual monopoly, when they cock up, suddenly half the Internet is inaccessible to the people caught up in it.

Or look at it another way: Suppose I was running a website and experiencing issues with automated access (some of which may be entirely legitimate). I choose to use Cloudflare's services to mitigate the issue, and immediately see a - say - 10% drop in traffic. I wouldn't be able to tell whether half of those where legitimate users filtered out by CF, unless those people take initiative to inform me of the issue - and even then I'd have no way of even estimating the ratio of false positives.

At the very least, it'd the nice if site-owners took a more nuanced approach to their implementation of these kinds of services than just gatekeeping general site access. Allow all reads of data (if you don't want people to consume your data, putting it on the Internet was a bad move in the first place), but bot-protect all writes.

It doesn't work that well for that purpose imo. Look at 4chan.

Fingerprinting fear is eh. The server only receives what the browser sends to it, plus your IP address. The browser fully controls what it sends, and it only sends identifying data because advertisement companies pay browser vendors to add this data. There is no technical reason why fingerprinting is even possible. Everything - your OS version, your cookies, your mouse movement - can be faked or anonymozed.