It's time to declare that Client-Server architected internet "applications" (i.e. applications of the underlying Internet protocols, mainly seen as websites) are dead. They've been killed by a combination of enclosure of the commons, feudal plantation ownership and everything-harvesting criminal botnets masquerading as "AI" model-building.
It's basically impossible for anybody but the behemoth (GRAFT+)[1] providers to host an open-internet-facing application without hiring the services of a protection racket (aka "Distribution Network"). Without it your server software will suffer a meltdown, swamped by requests from particularly aggressive, egregious and stupid bot software that ignores all the niceties and conventions of internet citizenship that make the whole thing possible. Bots that ignore the expressed wishes of site-owners via robots.txt. Bots that ignore redirects to HTTPS ports but keep retrying in vain hope. Bots that persistently and aggressively fish for non-existent pages in the hopes of finding a resource worth exploiting. Repeated re-scans of pages over and over and over and over again, despite server responses telling requestors that the content has not changed. The result is a total, uninterrupted Denial of Service attack. By actors who claim not to be criminal enterprises; who claim they're engaged in the "legitimate" business of Intellectual Property theft in the name of making Largely-useless Language Models.
The idea of running even an ssh server on the open internet seems kinda naïve under the circumstances. So what alternatives exist?
The other end of the spectrum would seem to be Peer-to-Peer applications that talk only to expressly-permissioned partner instances via cryptographically secure tunnels. The advantage of such architecture is that the network of nodes that emerges is forged by human beings exercising their own best judgement on who and how to trust those who would network with them. It returns us to an internet of judgement. Of discrimination (in any sense you care to use the word). You only accept connections from instances run be people you know or have some reason to trust. Often the trust is provisional at first, because the world is a big place, so we simply assume good-faith engagement as our first convenience. Tit-for-Tat strategy in an iterated prisoner's dilemma. If our initial guess proves to be wrong (or transitively wrong) then it's a simple matter, not involving any scalability problems, to disallow further conversation with a bad actor.
The alternative: block-listing — allowing all connections and then blocking bad actors as they're discovered — suffers horrendously from scalability problems and quickly becomes a whack-a-mole nightmare. The ActivityPub universe is having to face this reality to some extent.
What's interesting to me about the peer-to-peer, small-scale permissioned connectivity paradigm is that it re-inserts our million-year-evolved instincts and mechanisms for relationship management directly into the technical networking loop. And that's largely what is absent from the Client-Server mess that's evolved at the hands of Black Hats and commercially-driven vested interests. The void where tasteful discrimination and selection has gone AWOL becomes the howling wasteland of spam, grifts, con artistry, "AI" slop and theft that the public internet has degenerated into. There's very little value left for actual people anymore, and what tiny fragment of good value still exists is swamped; drowned by the cess.
The commercially driven internet is not coming to save us from this mess. (And, frankly, given this analysis, I'd strongly recommend not investing in any of the current crop of "internet" giants — the GRAFT+; I'm pretty confident that somewhere in the next few years/decade[2] people will realise that they're not getting any value out of these walled gardens, and then usage will slow... precipitously, and stock-prices with it.)
That leaves us leaning on P2P (and federation is a subset of that) protocols.
[1] Google, Reddit, Amazon, Facebook (and cohort), Twitter plus the other Usual Suspects (Microsoft, Apple, Ali Baba, etc., but then it wouldn't make such a neat acronym.)
[2] I'm terrible at guessing timelines on these things. So is everybody. "You can't time the market." So for some value of "a few years". I generally seem to come in around about 7 years ahead of the curve on stuff like this.