It’s not even necessarily the ISPs that are doing it. In many cases they don’t like this because their users start getting blocked on websites; it’s bad actors piggy-packing on legitimate users connections without those users’ knowledge.
There are residential IP providers that provide services to scrapers, etc. that involves them having thousands of IPs available from the same IP ranges as real users. They route traffic through these IPs via malware, hacked routers, “free” VPN clients, etc. If you block the IP range for one of these addresses you’ll also block real users.
Yes but there are ways to protect against that. For instance you can configure Tailscale clients to only trust nodes that have been signed by trusted nodes, or something like that.
Entirely depends on who’s publishing the image. Many projects publish their own images, in which case you’re running their code regardless.