A great discussion, and I just want to point to another discussion that I started that you might want to look at: Execution & Consensus Client Bootnodes - Node Operators - Lido Governance. One thing I would like to point out is that the use of the Graffiti field on a voluntary basis can be used for psyops strategies: e.g. a cartel of validators wants to provoke the regulators of a certain X country and intentionally always puts this X country in the geo-tag. Furthermore, any kind of IP addresses or location information may have been previously obfuscated. So the reliability of any kind of such data is somehow correlated with the willingness to be honest.
Just a note on bare metal: The problem with cloud solutions is the following; most of them a running under US law, so in case we even diversify on the cloud providers for the bootnodes, a single point of failure exists: the US enforcement possibility. So that’s why I support bare-metal solutions very much.