I do most of my browsing from "datacenter IPs", because I segment browser instances (including source IP) by activity type, and I only get one IP from my physical upstream. It's also very easy to rotate datacenter IPs frequently, and they don't spill my physical location.
I spend real money browsing from these rotating datacenter IPs, to many different online stores, and I've only run into a rare few that won't let me. If a website doesn't work, especially for the casual browsing of shopping, then that will very much influence my purchasing decisions.
If your website relies on surveillance to make money, meaning you don't particularly appreciate my efforts to stop the abuse of my privacy, then I understand how we're at an impasse. But if you're running an honest business and think that heavy handed blocking is only pushing away illegitimate traffic, please do reconsider.
Not running a business, running a free service that gets a lot of abuse from bad actors. We care a lot more about having a website that stays up as opposed to letting a few users have "privacy"
Practically, I thought one of the main points of Cloudflare was that it cached most pages? So, a deluge of read requests shouldn't really affect you, no matter the intent (assuming your website handles caching properly, etc).
I do completely understand that you need to rate limit things that mutate the site or perform a lot of non-cacheable reads (and thus always hit your own server(s)). But if you have some sort of account system, I'd urge you to make it so that logged in users bypass IP-based limiting. Thus someone coming from a non-naive IP may hit a bunch of CAPTCHAs to login, but once they're logged in they should have an easy experience (with the idea that if the account turns out to be abusive, you ban it). An account is basically a longstanding nym.
Also, it's unkind to put privacy in scare quotes. It's true that there is very little absolute privacy with the sorry state of web technologies, but that doesn't mean throwing the whole concept out. I personally find value even in little things like some ad that slips through saying "List of <whatever> in <city not related to me>", rather than getting my city correct, normalizing the idea that it's right for what I'm reading to be reading back at me, and perhaps enticing me to click.
I spend real money browsing from these rotating datacenter IPs, to many different online stores, and I've only run into a rare few that won't let me. If a website doesn't work, especially for the casual browsing of shopping, then that will very much influence my purchasing decisions.
If your website relies on surveillance to make money, meaning you don't particularly appreciate my efforts to stop the abuse of my privacy, then I understand how we're at an impasse. But if you're running an honest business and think that heavy handed blocking is only pushing away illegitimate traffic, please do reconsider.