As gorhill mentioned in the comments, this isn't really a 1st-party tracking, it's "3rd-party disguised as 1st-party". Tracking URL is on a subdomain of 1st-party domain, but it resolves to 3rd-party IP ang request goes to 3rd-party infrastructure.
That doesn't need to be true at all. You could imagine a service that acts as a can and proxy for the 1st party that injects ads into the HTML directly and handles certain urls on the main domain.
Also, 3rd party infrastructure could be something like aws. Are you really going to block all ec2 address ranges?
I doubt we will win anything from this. Some advertising provider will provide an easily-runnable proxy and say "we give you double CPM if you give us the logged-in user's email address". Now you have even less privacy.
Third-party requests with cookies made it easy to start tracking people across sites... but there are other ways if that is made to stop working. Given how much money flows through the advertising industry, I am sure someone will pay for the week or so of engineering to make advertising more invasive.
Just georestrict your website to not allow visitors from Europe. What I learned from the whole Blizzard fiasco is that the future is selling products to China. China doesn't really care about the GDPR.
There are already companies that do this for other thing. It's basically the model cloudflare uses, but they don't have the ad injection part. I believe brandingbrand did the same model for mobile sites.
To the site owner, they're just pointing dns at the ad company and treating it like a cdn.
