towerful

That got a bit long.
Reading more into bunkerweb.

Things like the "limit" feature are going to doink people on cgnat or large corporate networks. I've had security stuff tripped by a company using my software, and it's a PITA cause all the requests from legit users come from only a few IP addresses.

Antibot isn't going to be helpful for things like JS requests, because cookies aren't included by default with fetch requests - so the application needs to be specifically built for this (at which point, do it at an application level so it can scale easier?).
And captcha. For whatever that is worth these days.

Reverse Scan is going to slow down every request (as it scans the remote client for suspicious open ports, so a 500ms delay as default).

Country is just geo-ip.

Bad Behaviour is just rate limiting (although with a 24h ban). Sucks if a few corporate/cgnat users all hit a 404 and suddenly that entire company/ISP's IP is blocked for a day.

This seems like something to use when running a TOR server or something, where security is more important than user experience. Like, every feature seems to punish legit users

LE certs can always be "side loaded" by acme.sh or LEbot or whatever, and the reverse proxy restarted to use the new certs. So, the whole "pro subscription to use specific certs" shouldn't be a factor, except a little more work/config (so, money Vs time).

Now for my opinion...

For base security, all it's doing is looking at whatever you tell it to look at in an http request and forward/drop/block as such.
HAProxy is well battle-tested. Nginx is well battle-tested. Traefik and caddy are comparably newer contenders, but considering their adoption they are probably well battle-tested.
Which means, an established reverse proxy is only going to be as secure as the software it's forwarding traffic to.

If there happens to be some mental TLS handshake RCE that comes up, chances are they are all using the same underlying TLS library so all will be susceptible...
But at least an attacker only gets access to the reverse proxy server. Which is why it's worth having that in a locked down isolated VM, ideally built in a way that is extremely easy to rebuild (declarative configs like docker-compose and some scripts, or even something like nixos for an immutable OS).

As for add-ons... Most WAFs only look for things like XSS injection or SQL injection or exploitative HTTP request formats. Very very basic attack vectors that any decent HTTP stack and reasonably built software shouldn't have to even worry.
Any DDOS protection is more likely to blast your network connectivity, which (for self hosting) a WAF isn't going to be able to do anything about.
I'm not sure how good they actually are against a DOS attack that is caused by bugs/inefficiencies in the application. Maybe they monitor for long/increasing response times, and block further requests to them? Might cause a lot of false-positives for your users.

So, the only real benefit - that I see - are zero-day exploit protections.... and that only matters if they are built around near-realtime updates like crowdsec is. I don't know how it compares to cloudflares WAF, tho.
Any zero-day protection that isn't being managed and updated in near-realtime is about as effective as you monitoring news of your installed services/programmes and updating them regularly. Because you are likely to update your WAF and apps when you hear about those, or regular scheduled updates will deal with them before you even learn about them.

I guess there is security in layers, and if layers of security is more important than CPU consumption/response time/requests per second (ie have an abundance of processing, servicing few users, etc) then it might be a no-brainer.

The only other time I can see a generic WAF being useful is if you have rolled your own framework and HTTP stack, and are running your own software. Because, you won't get that right... So might as well have the extra protection of a WAF.

Or, I guess, with really old unsupported software.
But surely there is a newer take or fork of it?

There is also the "am I worth it" factor.
Like, what is your actual threat model?
Defend against the usual script-based attacks (IE low hanging fruit), only expose/forward ports that are actually required, use some sensible security that isolates more vulnerable systems (IE a proxy) from more sensitive (ie a database or storage), and update regularly on stable/lts branches.

Edit:
I just googled bunkerweb.
First we had firewalls. Then we got web application firewalls. Along came next generation firewalls. Now we have Next Generation Web Application Firewalls with paid features like "Pay per protected services" and "Best effort support included"

Maybe I'm just salty

It's the only one they have with comfy seats and a mini bar

Apparently Amelia Tyler - the Narrator for BG3 - checked in on some random twitch stream, and they had an AI voice trained from her narration controlled by twitch chat - which was saying some fucking horrendous stuff.

Scary as fuck.

Remember to talk to everyone you know about voice scams. Scammers absolutely are leveraging this tech, and piling it on top of the usual "I've flushed my phone down the toilet, I'm texting from a mates phone and I need money to buy a new one for my job interview tomorrow" kinda scams.
Agree on a password or something, so that if "you" ever call (edit: or text) and put them under pressure then they ask for the password. Scammers will instantly divert or bail.

You can take apart juice bottles.
The least realistic part is that anon managed to get to and dilute every bottle their gf used.
Cause if they miss one, their gf is gonna have a serious shock.

So, lack of consent and extremely controlling?

Trees!
Trees store lots of environmental and atmospheric data in their trunks. When they get fossilized a lot of that information remains intact.
Also, ice cores. Layers of ice protect previous layers of ice from further contamination, so are a pretty good snapshot of the environment/atmosphere at a given point in time.

https://www.bbc.co.uk/newsround/67074940

Wiki has more detailed information on how Miyake Events are "stored" in trees and ice cores.
https://en.m.wikipedia.org/wiki/Miyake_event

If you pay for your VPN using crypto, then they can't tie it to your name, when they're reselling the traffic it's harder to tie it to an identity

Surely that only works if you have personally mined the crypto yourself.
And if you only use that wallet for paying for the same VPN service.
Crypto isn't anonymous, the ledger of all transactions (IE the Blockchain) can be read by anyone.

I tried to wash my brain, but I couldn't find enough clean water

Companies would only do it in response to an incident.
Same as any IT related thing. IT will block bad websites, maybe have some alerts for common stuff, but will only sift through logs when something goes wrong so they can assess the extent, impact and fixes for things.

The exceptions are probably like Amazon where they have the processing power and dev-time to do things like this to their own employees, which might also turn into a marketable product for other companies.
Military contractors might as well (Boeing...)

She’s just been through her junk email folder and found a “We’ve noticed a new login” email from instagram yesterday

The junk-ing security notices is so common.
A few months ago, my dad said "uh, I got some email from my bank, and now my credit card doesn't work".
The email was describing some problem with his account which would have been so much easy to fix before they cancelled the card.
Similarly, I lost a domain name because the registrar notifications for renewal ended up in my junk mail.

It's probably quite a significant issue. Companies can go "well we tried to contact you" and wash their hands.
Doesn't matter that they also spammed bullshit marketing emails from the same address that issues security/renewal notifications.
Doesn't matter that spam email has been such an issue it is near-impossible to host your own email server (and expect delivery) for a decade or so now.

Training will never stop, tho.
New models will keep coming out, datasets and parameters are going to change.

Maybe the amount of shoplifting hasn't changed that much, but reporting and detection of it is better?
https://www.sfchronicle.com/sf/article/shoplifting-data-Target-Walgreens-16647769.php