This is kinda common. Events with other anti-fraud providers are similar, it's a black box to the outside world that figures out what's normal and what is risky.
That's true, but the data collection doesn't have to be this automated. It's a tradeoff for ease-of-use.
Everyone used to use Paypal, right? That doesn't track anything on your site in the default flow, but it requires sending the user to paypal.com, where they will have to enter even more information. But at least it doesn't collect mouse movements on all users on non-payment pages.
