[jefftk]

> if this is for privacy reasons, but you can circumvent it by requesting client hints, then won't that end up an always-on default anyway that nobody benefits from in practice?

The goal is to switch from sending high-entropy information by default to sending it only when explicitly requested by a site. This has several advantages as you try to reduce fingerprinting, but the big one is that it's visible which sites are using which information. Today any server could be using any part of the UA.

[klabb3]

So, if this becomes a permission, it would be another annoyance like the cookie banners. Akamai is requesting client information, allow or deny? Who would know what that even means, outside of tech?

The gist is, privacy and security has to be in the defaults to be useful. The amount of stuff that can afford to have a human in the loop is in practice minor, and only be reserved for important things that people can actually understand.

[jefftk]

I don't think there are any plans to make this a pop-up. But it's still useful to move this entropy to be something that has to be actively collected: people can see which sites are collecting what information, and eventually browsers can start enforcing something like privacy budgets (https://github.com/mikewest/privacy-budget). You can't do these with something always sent automatically.