If they are genuinely only using the information to detect bad actors and maintain site stability as the affidavit states, and if they can prove it, this seems like potentially a non-issue?

I am not a lawyer, but site stability seems like a GDPR "Legitimate Interest" in my book anyway.