I believe Medium's DNT implementation showed a little confirmation button on embedded Youtube players. That's the kind of consent screen you may still need with proper DNT handling.

None of those cookie popups, though. That's all malicious compliance.

I don't think this is true. DNT being absent or set to consenting is not enough to infer the user has given specific and informed consent under the GDPR.

> Explicit consent: Under the GDPR and similar laws, consent must be specific, informed, and an unambiguous, affirmative action from the user. Consent cannot be assumed by a user's continued browsing or inaction, which is what DNT would require.

if DNT is absent you could show GDPR-compliant consent screen (ofc, it would still need to be actually compliant, i.e. with "reject all" button front and center)