I don't think that's a fair characterization. Most AP implementations famously don't have privacy features: it was by design (and therefore no surprise to us tech folks), but i remember it was quite the scandal when users found out Mastodon instance admins could read users' private messages. A later "scandal" involved participation in the EUNOMIA research project about "provenance tracking" in federated networks [1], which to be fair to conspiracy theorists does sound like an academic front for NSA-style firehose R&D.
That being said, Bluesky is much harder to selfhost and is therefore not decentralized in practice. [2] See also Blacksky development notes. However, Bluesky does bring a very interesting piece to the puzzle which AP carefully ignored despite years of research in AP-adjacent protocols (such as Hubzilla): account portability.
All in all, i'm still siding on the ActivityPub ecosystem because i think it's much more ethical and friendly in all regards, and i'm really sad so many so-called journalists, researchers and leftists jumped ship to Bluesky just because the attraction of "Twitter reborn" (with the same startup nation vibes) was too strong. At least in my circles, i did not meet a single person who mentioned the choice of Bluesky was about UX or features.
But now, i'm slowly warming up to the ATmosphere having a vibrant development community. Much more so than AP. And to be fair to ATProto, it is worse than AP from a centralization standpoint, but at least it's not as bad and complex as the matrix protocol which brought 0 value over AP/XMPP but made implementations 100x more complex and resource-intensive.
To me something git-like with a peer review UI (a la pull requests) seems far more natural for distributed academic publications than a social media protocol though.
ActivityPub, based on my understanding, really doesn't work like that - while you an oauth with your mastodon account, the expectation is you'll be handling identity and back-end bits, and then sharing events across the network (happy to be corrected).
Part of what kicked this off is seeing ATProto's new devrel person at a meetup and finding their vision pretty compelling.
But yes, ActivityPub is more "robust" and decentralised (hence also jankier)
ATProtocol made a decision, based on the other protocols, to put more emphasis on user experience. If you want to build a new social media fabric for everyone, they have to want to use it. AP / Nostr have UX that will never appeal to the masses.
I build in the ATmosphere because I want to effect change. AP was hostile, Nostr is for crypto bros. The @dev community is one of the strongest pieces and attractors
One way I like to think about how the protocol is different is that they made a giant event system for the public content and then let anyone plug in anywhere they want