IANAL, but.... you only need consent if it isn't required for your business to function. If you need to track to maintain your trademark, couldn't you argue any business with a trademark needs to track users?
I'm sure it wouldn't work in a real court, but it sounds funny in my head.
"legitimate interests" are subject to interpretation on purpose; either legitimate interests on a given instance are lawful, or you're better off relying on consent, since your interpretation and the regulator's interpretation may be different. Check page 7 of https://www.edpb.europa.eu/system/files/2024-10/edpb_guideli...
What's 'legitimate' and what isn't is up for interpretation, but the question of whose interests is clear in the text of the GDPR itself, and it's the controller's (or a third party's) interests which could form the basis of lawful processing.
Interestingly, the GDPR specifically does not include 'benevolent' processing (i.e. processing for legitimate interests of the user) as a lawful basis.
I'm sure it wouldn't work in a real court, but it sounds funny in my head.