Actually, they're supposed to be opt-in. "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." [0]. I worked extensively on one of the big ad-network's GDPR compliance pub & advertiser tools and we took this seriously. If you blocked the message & you were detected to be in the EEA, that was "no consent" for data use. That said, I know many of the other players in the ecosystem actively overlooked or did not abide by this policy.
Shoot, you are correct, and I misspoke. I meant to imply that the default must be assumed to be rejecting all tracking, and that all tracking applied must be explicitly accepted.
What's a shame is that most companies hide behind the claim that if users block IP tracking, since they "can't" get geo without IP, you're opt-in by default. They don't make the best effort attempt to, using the data they have, determine opt-in/out default behavior. The regulators seem OK with that argument. So your point sort of stands (and I wish it didn't)
[0]https://www.gdpreu.org/the-regulation/key-concepts/consent/