I came away from reading over the AuthTransfer protocol and its handling of moderation/enabling users with a very major sense of, "We outsource almost everything!"
As L. Rhodes writes:
[...] One effect of ATproto's structure is to multiply the number of administrative relationships for which each user must decide for themselves—often on little to no information—who deserves their trust. The complexity of its infrastructures seems like it would sometimes make it difficult to assess when that trust has been betrayed, and by whom.
So Bluesky may redistribute some technical power from host admins to users, but it also gives them much more to navigate. It makes their need for power more desperate, and I'm not at all sure that the power trickling down to them through those other layers of infrastructure will be sufficient to the need. No doubt many will compensate by sticking to the parts of the network operated by Bluesky itself—apparent choice, de facto lock-in.