> TLS fingerprinting and Cloudflare are easy to bypass. There are lots of libraries that do so.
Easy for you does not mean easy for everyone. My experience is that TLS fingerprinting paired with blocking specific user agents gets a variety of majority of bot traffic.
It's the same a basic online security: You can protect against script kiddies with basic hygiene. If the threat analysis is Mossad, then yeah, you're fucked.
The application-layer stuff is harder. Each application can develop its own heuristics, and that's difficult to automate in a cross-cutting fashion.
Reddit doesn't do anything about that? That seems stupid.