"legitimate interests" are subject to interpretation on purpose; either legitimate interests on a given instance are lawful, or you're better off relying on consent, since your interpretation and the regulator's interpretation may be different. Check page 7 of https://www.edpb.europa.eu/system/files/2024-10/edpb_guideli...
What's 'legitimate' and what isn't is up for interpretation, but the question of whose interests is clear in the text of the GDPR itself, and it's the controller's (or a third party's) interests which could form the basis of lawful processing.
Interestingly, the GDPR specifically does not include 'benevolent' processing (i.e. processing for legitimate interests of the user) as a lawful basis.
