Well, good thing they reverse-proxy the javascript code first party directly on the domain (www.*), and attempt to load multiple subdomains on the primary domain one after another (including randomised CDN paths)
"enable it only on a per subdomain basis" works when the tracking runs off a separate subdomain. Walmart, for example, intentionally proxies the files through their primary domain, the one that you are visiting, to try and bypass this.
--
Other sites and services will also use blocking them as a fingerprinting point. For example, it loads native first-party JS to try and bootstrap the rest of it.
A really simplified example:
Stage 1: on-page script tag, not a separate file, sets up a variable - let's call it "counter"
Stage 2: Load cross-site-tracker.js from obvious-analytics.example.com.
If it fails:
Stage 3: Load QyojK8oIwLjske2JkW9mdJY0Np.js from hqMOBRLccCmEnG9.cloudfront.net; increment a "shady user is trying to hide from us" counter
If it fails:
Stage 4: Load RandomWordsRainbowButterfly.js from N4NqCUJAT9UUXFcwnn.cloudfront.net; increment a "shady user is trying to hide from us" counter
Keep trying this through 3-4 domains, use random s3 buckets, cloudfront hostnames, akamaized.net hostnames. Upload all tracking data as soon as one of them succeeds.