thank you for your answer and thoughts on this topic.
Exactly, the sending and receiving of several meta data is exactly the problem. And I also agree, that developers cannot be responsible for the "entire Web 3.0" behavior. The biggest issues is, that politics and law makers are beyond current technological possibilities. Just a quick off topic remark: I had a talk with some federal state politicians and entrepreneurs during a startup get-together meeting and literally nobody heard about Web 3.0, its technological and data political implications (though: most of them very really interested in this topic, after I explained the basic concepts).
Maybe the safest approach would be to put information in the "Terms & Conditions" as well as in the "Data Policy" section. Informing users and possible customers, that they use a Web 3.0 website and that certain meta data can be fetched by third parties without or consent and that using e.g. a VPN or Tor network would be recommended. I would suggest to list the connection possibilities as you did: Primary / Native IPFS connectivity; Secondary / Gateway connectivity. Again, one cannot know all peers, all their software, what they exactly do and who they are. It is absolutely impossible, and I think, that mentioning these problems in the corresponding web site sections (T&C, Policy), should be fair enough until Web 3.0 becomes more mainstream.
If you would like to add something, or if others want to participate, please do so! Its not a fun topic at all, I agree. But if Web 3.0 and IPFS shall become adapted by more people, or even startups (like us), we have to discuss data political implications.