I was with you until this paragraph:

> The broadest possible interpretation of this ruling is that any website that downloads any digital asset–cookies, javascript, heck maybe even HTML–onto a California resident’s computer can be sued in California, even if the website doesn’t know where the users are. If this is correct, the majority effectively would be saying: if you place a cookie on a reader’s device, you’ve done something more than passive publishing (i.e., you can passively publish without the cookie) and must accept the jurisdictional consequences.

This feels so close, but a little off my interpretation. In Collin's concurrence, he specifically calls out that the required parties "minimum-contacts" in the transaction were both in the state as part of the reason for the unambiguous jurisdiction, with Stripe being a third unexpected party to the information. To insert themselves is in effect inserting themselves into the jurisdiction as well. This paragraph:

> When a State specifically regulates the conduct of electronic systems with respect to transactions within its borders, the as-intended operation of those systems within that State is the relevant tortious conduct for minimum-contacts purposes, and that conduct is attributable to those persons who deliberately intended that such systems reach into that State and operate in that manner when they do so...

For me, this implies that third-party services not required or expected when a user interacts with a site that run scripts or set cookies for anything outside that "minimum-contacts" requirement is liable for what they do with that data, access, and what that code does.