I hope they do decide to add the HTTP header to disable FLoC by default, unless site admins specifically opt in. From the discussion I've seen, it hasn't been decided for sure yet.
The website is really a third party here, the browser is choosing to track users browser history and report a summary statistic on it to anyone who asks, there's nothing the website can do about that.
Chrome has promised to listen if websites say they don't want to be included in the browser history they calculate that statistic on, but it's all client side, there is nothing the website can actually do but request that they aren't included.
Nowhere in this document does it claim that a summary of your browser history is being sent to websites. It explains the actual process of how cohort IDs are generated and used.
I think the problem here is just one of language, a summary statistic is a number calculated from a set of data that gives you some idea of the contents of the data, but condenses it in a way that you can't reproduce the original data. Common examples for numeric data sets are things like mean, mode, median, standard deviation. Common examples for data sets consisting of a finite list of strings (such as browser history) would be things like average length, character frequency, count, etc. The cohort id generated is unambiguously such a summary statistic.
Rather than the browser sending a summary of your history, it calculates a cohort ID. That ID is sent to websites, and the website then has the job of associating IDs with interests.
So instead of building a profile on specific users, the website (or ad network) builds profiles on cohort IDs. Users can change IDs, or mask theirs altogether if they wish.
We actually respected DNT at an ad tech company I worked at and people still gave us grief for "tracking" them. We literally just 200'd the request immediately for all DNT requests. No processing, no tracking, nothing.
Hilariously, I even opposed removing the code later because I wanted us to be a good citizen but it was practically dead code because people were still calling us evil. They could literally set their UA to play along (or use one that set it by default).
I think we always kept the code in but it only incurred cost and we got blamed anyway. I think, looking back, I should have just removed that piece of middleware since no user ever really cared. It wasn't worth it for the org to pay for code so I could have a clean conscience.
We tried 202 and 204 and both led some UAs to show broken image placeholders. But during the time we did that people assumed that we were tracking them just incompetently ("Look! They've revealed themselves!" style).
Maybe we tried some other codes but anything but 200 was unsafe to many UAs (you could 3xx but UAs would break on 304 too because the tracking pixel wasn't actually cached). Anything that led to UA breakage was verboten anyway on our side since we didn't want anyone to have a broken experience because they set DNT. That would have been bullshit.
We were dumb-enough to handle P3P headers too (which AFAIK no one really used in the end). Lots of dead code. Ugh.
I've seen people say dnt could be ignored because it's off by default in some configurations(safari), and user did not make a choice. Would be interesting to see what kind of mental gymnastics these people would apply here to ignore user's opinion.
You might enjoy this project. Its a browser plug-in that submits random search queries over time to ruin the accuracy of companies tracking https://trackmenot.io/
A cynical view would be that Google paid large sums to advertise Chrome on prime time TV while sideloading it with Flash and Java installs, which lead to an outsize user base, which lead to outsize influence at W3C on specifications.
That's "easy"?! How does my mom do that for her WordPress site?