@mhoye i just checked the logs for a website i run (that gets ~9k pageviews/mo and ~1k MAU), grepping for all 404s - it seems like the vast majority of them are iphones requesting the /apple-touch-icon.png path (and variations thereof). there are also a bunch of "Chrome Privacy Preserving Prefetch Proxy" requesting /.well-known/traffic-advice and various bots trying to get robots.txt. there are definitely some credential scraper/vulnerability finder bots too, but the majority of the 404s I serve are to actual users, so if i implemented this advice i'd block a pretty big chunk of my userbase