Right now, because the requests are identical to the same requests sent to Google Analytics but with a different hostname. It's trivial to identify and block them, and current ad blockers already do.
> same requests sent to Google Analytics but with a different hostname
There are instructions out there to also modify the path of the requests[1]. Consider this paragraph in the Summary section:
> Cynics could say that this is an improved way to circumvent ad blockers. And they’d be right! This does make it easier to circumvent ad blockers, as their heuristics target not just the googletagmanager.com domain but also the gtm.js file and the GTM-... container ID.
You can do that, and you can also proxy encoded requests which obfuscates all data, but you could also do that with the previous version of Google Analytics via the Measurement API.
In practice - in the EU, at least - I haven't seen any examples of this, and it would be unlawful without consent anyway, thanks to the GDPR.
It's also still fairly easy to classify requests (if you have access to the unencrypted request in the browser) based on heuristics. That's partly what the company I work for does.
Separately, thank you for your contribution to the Internet - it's as big and important as all the behemoths, but unfortunately will never be rewarded in the same way.
