Huh? Malicious actors would just use a Chrome user agent. The only people being hurt by such blocking are legitimate Palemoon users.

If your so-called "bot blocking" is nothing more than a string.contains() on the user agent, it's literally less than worthless.