[rlpb]

The EU's GDPR only requires explicit consent for data collection for the purposes of the processing of data that is personally identifiable and there are exemptions such as for operational reasons. For example if you make an HTTPS request to my server then of course I have your IP address. It's what I do with that personally identifiable information that determines whether it requires explicit consent or not. For example if I only use it for the purposes of ensuring operational security and destroy access logs after some limited time, then explicit consent isn't required.

Data collection for aggregate analysis that discards personally identifiable information in a non-recoverable way similarly does not require explicit consent.

Sounds to me like what they say they're doing is compliant, does not require explicit consent under the GDPR anyway, and therefore whether or not the checkbox defaults to checked or not is moot from the point of view of the GDPR.

I understand some people might not want to trust them, their processes or their competence regardless, but that's a matter that's outside the scope of the GDPR. The GDPR is about what they are doing and for what purposes, not whether you trust them.