Point 3: ActivityPub is _exceptionally_ weak against a corporate attacker.

Hell, mastodon last I checked doesn't even support the latest version of linked data proofs or whatever that spec is being called this week

It would not be hard for a corporate entity, in the name of security (not even features), to start pushing their own extensions here that aren't backwards compatible and start listing servers that aren't on their spec as "insecure" or "not standards compliant"

They'd even be right.