>I can imagine that having several typical configs and switching between them at random would help blend in.

You have to be careful with that too. An anti-anti-fingerprinting implementation can record the values and compare them across visits to see whether they stay the same. If they change every few months that's reasonable (eg. changing hardware), but if they change every day or every week there's most certainly spoofing involved.

It should change every few requests. The point is not to conceal spoofing, but to foil attempts to fingerprint.

Maybe an explicit sign of spoofing is even better, it sends a message in a gentle way.

Unspoofing on the server side, if at all possible, would likely be too expensive for whatever gain it might bring.

Unless a major anti fingerprinting solution uses the same list of GPUs as you doing this puts you in a tiny bucket and provides massive entropy to trackers, possibly even enough to exactly identify you given many webGL calls.

You could seed your random number generator with a hash of the hostname, guaranteeing consistency across all the random values you return to the one host.

Anti-anti-fingerprinting? :/

I feel like going there and telling them to stop following me around.

Does it matter if they know you're spoofing, as long as it prevents them from linking two separate sessions together?

you'll run into this problem: https://xkcd.com/1105/