Moreover, clicking the link is all which is necessary for a successful spearphish.

How so? If there's a zero-day in the browser? Or is there that much value in just getting their IP address/user-agent?

Browsers often have zero days.

Not only do browsers often have zero days but many people configure their browsers to let the server do basically anything it wants. Service workers, WebGL, Webasm, javascript.

Any of those have been demonstrated to be capable of spectre/meltdown/etc. Hope your passwords/ssh keys aren't stored in RAM.