Following a suggestion by @leip4Ier, I created a small Python script to filter the log – only RSS requests and requests by IP addresses that loaded CSS are passed through. Almost all bot activity is filtered away and I am left with around 50% of the visits on most days.
@leip4Ier No, that's mostly HEAD requests – seem to be checks whether a page exists and metadata retrievals, yet they have the referrer set. I didn't check whether it's Twitter and GitHub themselves who perform these requests or whether it's some third parties. But they definitely aren't browsers.
A Mastodon instance for info/cyber security-minded people.