[lmkg]

Legitimate interest is very broad and very vague. It's the "wild card" Legal Basis, basically used to cover all of the cases that the law didn't explicitly address. The legal requirements are more-or-less "the company has a good reason, and the privacy impact is minimal." The validity of the good reason or minimal privacy impact are subject to regulatory review, but companies are trusted to make this decision on their own until a regulator gets involved.

A company can also decline opt-out if they have an "Overriding Legitimate Interest." This is true regardless of whether the original legal basis was Legitimate Interest or Consent. However the company must restrict processing only to that particular overriding interest.

"Fraud Detection" is the canonical example of an (Overriding) Legitimate Interest. To my knowledge, that's the only example that's actually given in the text of GDPR itself. Telemetry is generally believed to be another example, and in that case it's probably not Overriding.

Processing necessary to provide a service is kind of weird. If the service is part of a contract, then you use Performance of Contract as your Legal Basis. But if the use of the service doesn't actually form a contract, then you can't use that Legal Basis and have to use either Consent or Legitimate Interest. There are arguments for and against either.