In the spirit of kicking the dead horse that is ground to dust at this point... the optimal solution is to require websites that either have adult content or user-generated content to add an RTA header [1] and / or meta tags. That's it. End user devices and apps must make a best effort to look for that header and activate parental controls. That's it. The law for that could fit into a few sentences in a tiny paragraph.

Not perfect, nothing is. Teens will bypass it. Actual children not legal children but single-digit aged kids will be less likely to bypass it or accidentally stumble onto Goatse. Again, not perfect, nothing is. Perfect is the enemy of good or better than what we have now and the cost to implement is at best a side project of one college intern per company and there is no risk of data leakage. Alternately five to fifteen minutes from a network engineer adding the header to the load balancers. RTA headers are privacy compliant and do not in any way involve third parties or PCI audits. This would be one of the simplest ways to get two thumbs up from ones legal and compliance departments. We just need to create one simple law and keep the greedy evil user-profiling and tracking incentives out of it.

[1] - https://www.rtalabel.org/index.php?content=howtofaq#single