You're missing the technical difference in visibility. Now: Arbitrary data is buried in witness fields, requiring special software to decode and view. With 4MB OP_RETURN: The data sits plainly in a standard output. Any node parsing the chain can see it without special explorers. It’s the difference between data being technically present versus being unavoidably visible. And that's a huge difference. Don't sugarcoat it.

And if I'm correct, then the whole Knots CSAM argument is just fear mongei, right?

Yeah, see how it uses "OP_PUSHDATA2" over and over again? That makes the data non-contiguous because the there is a byte limit when you push data on the stack. (Or else the script doesn't know where your transaction ends) this is not 100kb CONTIGUOUS data. Meaning it IS chunked up.

Ok, so the main difference is that in witness encoded data you have "4d" inserted every 520 bytes, but it only costs 1/4 of fees?

Well, not exactly. Contiguous bytes that amount to CSAM, or malware in general would cause people who run a VPS node to probably have their VM shut down. That's probably 20% of the node netwprk, including major players like exchanges and mining orgs. THAT is the attack vector. Then the mitigations would be effectively having VPS providers whitelist Malware (which they won't). Having the pushbytes allows the data to be segmented and it won't trip malware detection. Nothing to do with the fees.