I agree with your assertion that if GDPR expectations are high, they will be disappointed, however the "legitimate interest" claim doesn't trump the data subject's right to privacy in GDPR. As I understand it, you can only really claim legitimate interest if you're not doing any kind of direct marketing and are able to show that there is not undue impact on the data subject. There's a lot of conflicting information about this on the web but the actual language of the directive is pretty straightforward.

“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller."

If you don't have a facebook account for example, you don't have a relationship with them and therefore have a reasonable expectation that they would not be tracking you.

Edit: Granted, the language is somewhat ambiguous and we won't really know how this shakes out until there is established case law later in the year.