> Is it okay that by default [...] ?

Yes. IP addresses by themselves are not PII and may be logged indefinitely. It's only after you start correlating them with other shit that you're collecting that they become subject to GDPR.

Same for cookies really. If you *only* operate a shopping cart, you don't have to display a cookie notice for "only technically required cookies". The point of the cookie notice is to dark pattern users into granting more access or just to annoy them enough that they continue not caring about privacy.