> The alternatives to javascript fingerprinting are either ineffective (TLS fingerprinting and/or IP rate limits), or even worse for privacy (eg. attestation).

Javascript fingerprinting itself is ineffective, these kind of checks only stop the most basic bots and I'd argue the same for attestation.

It's ineffective in the sense that in the worst case, bots can buy used iPads or whatever and use a robot arm + camera to do the scraping, but each incremental step increases the cost for scrapers. TLS fingerprinting means you can't use curl/requests and call it a day. Javascript makes it even more complicated by requiring a headful browser to solve challenges. The purpose is to increase the cost, not to eliminate all bots.