yes but as was said earlier client-side JavaScript can also be blocked. Everything has downsides.

And it was posited that client-side was needed, the reply was they couldn't see why it was 'needed', which I agree with, I can see why it might be wished for, but you do not need it to record clicks. You do need it for other things, or to improve understanding of the clicks.

Basically any solution is going to be composed of many pieces, all of those pieces susceptible to attack in different ways.

But why can't a malicious server also serve up some JS that modifies the behaviour of the JS served by the ad network?