We can all play victims here of course but we also have our own responsibility when creating software. I've been on many projects where people got sucked into "this just is the way this ought to be done" kind of thinking without questioning any of it.

I suspect many cookie consent dialogs come into existence this way. All the mindless onboarding nonsense, notifications, etc. come from a rather dogmatic application of growth hacking type advice. You get startups hiring people that specialize in that out of a belief that they have to do that that then start doing stuff. And once you have those people they start justifying their presence by imposing a lot of that stuff.

If you ask a lawyer for advice on legalese, they'll give you plenty of terms and conditions, consent forms, etc. Mandatory scroll to the end thingies are a good example of an anti pattern here. The thing is that laws don't specify much in terms of UI/UX. Some lawyer once upon a time decided that "we have to twist user's nipples and make sure they read my 20 pages of legalese before they are allowed in the app". This is completely stupid if you think about it for more than 4 seconds. But it's being copied over and over again by world + dog. Convoluted cookie consent screens are another good example. Corporate lawyers invented those because they are being paid to justify their existence. They come up with implausible scenarios and then protect their clients from those. A lawyer will never tell you to skip an optional/redundant step but they'll come up with reasons to add more of those. Removing complexity is not their job.

If nobody applies any critical thinking and fact checks these things you end up with a lot of ass coverage, legalese, "better safe than sorry" type features and shit that is not needed that adds up to a lot of user hostile behavior, onboarding friction, and application complexity.

Authentication is a thing that many product owners just blindly imitate from others. Including all the negative patterns around it. I've had this discussion with more than a few product owners. "We have to 'own' the user relation ship and therefore we must have a email/password thing and can't do openid, sso, email links, etc.". This is nonsense but if nobody challenges that, you go down the path of repeating decades of mistakes on this front. But it's OK because everybody else does it too.

People don't even question this any more. As soon as you go down this path it leads to a lot of fairly standard and boring stuff that you just have to do, apparently. Over and over again. If you have a password, you got to have a reset my password. Is "secret" an acceptable password? No, so we got to have a password complexity thingy. Do we add 2FA? Notification preference screens, Push notifications, and all the rest.

Modern logins should be simple. "send me a login link" "login with X, Y, or Z", passkeys, etc. Make sure the process is password manager friendly if you have passwords (why?!). Bias towards enabling your users to getting started with your thing ASAP. Get them in and then consent; not the other way around.

Get a good product person that understands these things rather than one that does things because he heard about a person that knows a person that is totally legit that told them that you gotta do X because reasons that are too complicated for you to worry your petty head about. Most bad decision making boils down to BS, urban myths, and bad advice like that. Ask the "why" questions. Make sure you understand and fact check the answers. Do what you actually have to do. But nothing more.