The Referer header is the one that's hardest to opt out of cleanly, strip it at the network level and too many things break. Referrer-Policy lets the origin set the rule, but the visitor doesn't get to choose. There's a quiet move toward Referrer-Policy: strict-origin-when-cross-origin as a sane default in modern browsers but it's still origin-dictated, not visitor-dictated.

It's interesting that this breaks things. When trying to link to an internal password vault at work it would always break. People would have to click the link on my site, then reload it to get the page to load. This wan an issue for years, across multiple versions and despite many people offering up ideas to help solve it. One day I thought maybe it was a referrer issue, so I had it open with noopener,noreferrer, and that fix it.

It seems odd that any site would require a user come from somewhere.

Hah I remember the picture of the scrotum.