I think the right default is no-referrer. Sec-Fetch-Site exists for security use cases. If you wanted to do it across origins, same-origin wouldn't work anyway.
If people want data for analytics, they should need to explicitly enable it and browsers shouldn't necessarily listen.
This Tweet was deleted by the Tweet author. Learn more