I think the point is that the game developers make the infrastructure around it (ie friend lists and lobbys), not itch.
If they really do this, why do they need the Itch profile for that? They can deal out a login on their own. Itch has no support for a lobby to begin with. Or for friends list. But then again, if your game is big enough for things like that, you probably are hosting it on your own website, where you can easily put some more advertisements for all the freeloaders.
Where you can authenticate user accounts and that sort of stuff
In theory. I have never seen a game that needed that. Are there any popular examples you can name? I did read the faq and know there is an api for that, but actually never saw this done.
but also it’s a public website, I don’t understand the point of hiding usernames bc of privacy or anything of that sort
Itch is a public website in the sense that anyone can access it, if they can access US websites. It is not a public website in the sense that users see other users. Apart from public activity like commenting or having a public collection you do not see any activity at all from other users. None. You also do not see "who is online", like you do see on some message boards.
Once users grasps that concept, suddenly seeing their account names on a leaderboard, just because they clicked away that cookie warning or whatever that nagging screen was, is surprising. This is bad site and information flow desgin, if it were implemented.
They could improve support for web games to do fancy things. But if they do, please with robust api and with strict rules like vetting the developers.
I don’t understand the logic that an opt-in user identification system would be so detrimental to site security.
Life Scammers will find a way. I have literally seen hundreds of hacked accounts on Itch. Itch accounts are a target, as are Discord accounts. Coincidentally, many people name both the same...
An opt in is useless, if people do not understand what that means. Or would you understand that such an opt in means that anyone seeing that leaderboard could just try out passwords with your account name and try to hack your account? You do not even need to be a fake developer and harvest names. Anyone could see them.
Personally, for me it boils down to this: I do not trust amateur developers with this kind of information. There would need to be an ultra robust and fool proof api for that, with no way of exploits and a system to ensure that the dev would not be a scammer. Amateur devs playing around with account names. No, thank you. I would rather not have that.