You're right. But still, DNT is snake oil that only makes things worse by providing a false sense of privacy while not resolving any issue.

And some fingerprinting issues that can't be solved by lone users could be solved by browser vendors. Let's at least start by doing something with those overlong User-Agent headers. And, say, limiting JavaScript capabilities on introspecting the environment.

Well, for one thing, this would Break The Web (tm). I assume that users of, say, TorBrowser would not mind, but I strongly doubt the greater public would accept that.

For another thing, these two measures would only force the trackers to switch to other fingerprinting mechanisms that are harder to turn off (ETags, canvas 2d/3d fingerprinting, CSS fingerprinting, etc.), so I don't think this would achieve what you hope.

It won't break the web any more than not supporting <blink> tag or deprecating SHA-1 certificates anymore. It would affect a tiny minority of sites that try to do weird things. Seriously, we had a lot of JS APIs being gradually deprecated (and, yeah, breaking the web), and we're still alive. And for the last ten years every web developer was constantly told to not depend on User-Agent headers and do capability checks instead of UA detection. If there are still some sites doing that, and a reason for a change exists - it's good time to break them and only make work with some compatibility mode.

And those were just the examples. Sure, the trackers will switch. ETags and CSS fingerprinting and any other tracking methods can be worked around too. We just have to start value privacy a bit more than dancing bunnies.

(But, sure thing, users want dancing bunnies, not privacy)