Hi Russ,
Thank you for the thoughtful proposal. I think I understand the decision to switch to opt-in, and I am not trying to change it, but lest it appears all feedback is in favor of an opt-in version, I want to mention I disagree with it and I am disappointed and sad about it.
I think how the discussion developed around this is unfortunate. In the first 24 hours after the design was published I tried to engage with a number of people who objected to it on Mastodon, and the overwhelming majority were arguing against a design that didn't match the reality of what was proposed, or refused to engage with the design at all, taking a stance based on its name and its affiliation with Google. That was starkly different from the reaction from people I actively reached out to or in private communities I'm part of, which was universally positive or lukewarm, with all objections I remember being procedural about how it was proposed.
Reading through all those interactions and some of the comments on the GitHub Discussion (it is too long to have read it all, but I tried to keep up for the first few hours), I found no argument for why anonymous, sampled, weekly counters of cache hits and the like would be personal data. The closest anyone got was pointing out that it occasionally leaks a bit of information about "this machine compiles Go" but surely the network traffic patterns of "go mod download" do that already. (Yes, some environments will do hermetic builds from vendored dependencies, but those will mostly be ephemeral and/or not connected to the network, so won't report telemetry either.)
The outcome from where I sit seems to be that we got shouted into a dramatically less useful and marginally more invasive design, mostly because the proposal came "from Google". I'm not sure what could have been done differently, but it's sad and I wish there was a meta post-mortem on the discussion, even if informal and/or private.
I supported the opt-out design. As for the opt-in system, I am much less enthusiastic. First, it's unclear to me how many of the use-cases are still served by a more limited sample biased towards major platforms and power users. Second, I had found one of the original arguments for opt-out very compelling: we are entrusted to be stewards of the project, and we have a responsibility deploy something that's minimal and privacy-preserving enough that it can ship as default. In other words, I don't know how to answer "if this design is as safe as you say, why is it not on by default?" To be clear, I think it is safe, opt-out or opt-in, but I find the argument for it weaker now, and the project will have to make that argument over and over. Maybe I'm biased by my subject matter, cryptography, where it's especially true that users delegate decisions to us and we should not resolve hard questions by remitting back to them.
I don't intend to engage further with this, and I actually send this reticently, given the amount of vitriol and personal attacks I got last time around. However, I realized that if I didn't I would actually be part of the problem where all positive feedback is silent or private, and the negative feedback is public and loud. Thank you for working through all this, I imagine it was no piece of cake for you either.
Best,
Filippo