[vlovich123]

Yeah cert pinning is annoying but there's competing interests over that. The application vendors don't want you to be able to inspect the data & generally that's true as well. The niche debugging/analysis use-case can still typically be managed by disabling cert pinning once you have root (unless the application has its own TLS implementation which gets trickier).

re mac address == strong link level identity, it was never that and using it in that sense isn't accomplishing much. MAC addresses are trivial to spoof. If you want identity, then use proper cryptographic mechanisms to establish that (e.g. mTLS).

What we've seen as a profession is that that level of flexibility makes things harder to configure correctly leading to various security vulnerabilities. Or the optionality being user facing makes it not user friendly and makes it easy to socially engineer attacks. It sucks but in practice we've not found a way to optimize along several axes simultaneously. Don't forget that all your optional features is stuff someone has to build, implement, test & maintain. The only way out I think is to demonstrate a way forward that manages to attain the goals you seek without sacrificing the technical privacy measure. The technical privacy measures have been put in place as a result of real-world lessons learned, not hypothetical things.