The privacy implications are worth discussing beyond the bot detection angle. Some of these APIs expose enough hardware detail to potentially re-identify users across sessions, especially when combined with other client-side signals. The LLM TTFT fingerprinting in particular was an unexpected find.
Happy to go deeper on any of the techniques in the comments.