One of the big differences between 1st-party and 3rd-party tracking is that Bob at Bob's Cakes can only see what you're doing on Bob's site (1st-party tracking), but if Bob uses Google Analytics, and so does Jane, and Sarah, then Google Analytics (3rd-party) knows about your activity _across_ Bob's, Jane's, and Sarah's sites, which can potentially be used in worse/more invasive ways.
Also, the javascript tracking scripts can capture a lot more information than a simple access log line - they're not directly comparable.
This isn't strictly true, which is why I made the differentiation above between 1st and 3rd party cookies. With the 1st party cookie you'd get a new GA cookie on each site (e.g. mozilla-GA, ycombinator-GA, etc), making those correlations impossible. In the case of 3rd party cookies, yeah, I totally get that they can be used for some seriously evil things.
It's possible GA could try to correlate IPs or browser fingerprints between 1st party cookies over multiple sites, but proxies and mobile devices would make that difficult. The fact that all the data is together in GA's warehouse doesn't change the fact that the data isn't there to be correlated.
As for JS being able to be more intrusive, sure, I get that. At that point, I suppose you have to trust the site you're on that they wouldn't use a service that was intrusive. Perhaps this is a bridge too far for some, which is reasonable.
I guess I just don't get wanting to ban the tool entirely when it could but is not currently be used nefariously. (working on the assumption that if GA started fingerprinting browsers someone would've seen the traffic by now. it's not easy to hide.)
Also, the javascript tracking scripts can capture a lot more information than a simple access log line - they're not directly comparable.