TBH, with today's web the only way I have found to limit the information sent is to either not use a browser to make HTTP requests (e.g., use TCP client instead) or use a browser that (a) does not auto-load resources, e.g., images, Javascript files, etc, and (b) does not run Javascript inside <script> tags. Of course no other silly stuff like automatic "DNS prefetch" either. This way I know that the only information I am sending is the information I the web user actually sent, i.e., the HTTP request. Otherwise, there is no way to know what other HTTP requests will be made to accomplish auto-loading images, fonts, etc. or what other HTTP requests will be made by auto-loaded or inlined JS when the browser automatically runs it.

When the user types or clicks on https://hostx.com/1.htm, the user knows she has sent a request for filepath "/1.htm" at hostx.com. That's straightforward and easy to understand. Her intent is clear. She wants the file named "1.htm" from hostx.com.

However, what if she uses a browser that auto-loads remote files and auto-runs JS, and, e.g., the file 1.htm instricts the browser to auto-load the file "1.js", the browser automatically runs 1.js without any input from the user, and then 1.js makes more HTTP requests. Has the user "authorised" that information to be sent. Imagine she does not know the contents of file 1.js. How can she authorise sending information, i.e., an HTTP request, if she does not know what is the information, i.e., the request, and where it is being sent.