Jack Rhysider of the Darknet Diaries podcast and linked TunnelsUp website has an interesting write up on how port scanning is increasingly mainstream: Everything You Need to Know About Websites Port Scanning You [tunnelsup.com].

Some websites can and do port scan you when you visit their site.
...
...this is all done in the browser through javascript, where a website is instructing your computer to port scan itself, then report the results to the website.
...
It’s bypassing all the network security I have put in place. It bypasses my firewall, my AV, and my Pi Hole.
...
So why are they port scanning us?
...
* detects bot attacks...
* see the true IP address, geolocation and other attributes...
* helps...mitigate the [malware] risk...
* differentiate between good and bad users, devices, locations or personas.
* identifies returning users that wipe cookies, use private browsing, and change other parameters to bypass traditional device fingerprinting tools.

Note: this is not new, Halifax Bank (UK) was called out on this in 2016. However, a lot more vendors are offering and a lot more enterprise, especially finance and eCom, sites are using variations.
Note: these tests barely scratch the surface of what is possible and how ‘blockers’ can be bypassed. Eg: it is surprisingly? often possible to instruct the connecting device to take a selfie of the user.

MUAHAHAHAHA!