GDPR is actually quite clear and logical on the notion of consent. Implicit consent is implied for anything essential for a service, everything else has to be opt-in.
And while "dark patterns" (making it difficult to opt-out of tracking) might frustrate some, this practice won't help offenders before a court. GDPR isn't tied to any one mechanism (such as cookies) but for collecting PII of any kind; required. free consent can legally only be given if the instructions and consequences are clear.