PyPi is in a tough spot because they're also getting hit with an onslaught of malicious packages, which got to such a bad point they had to disable signups. How do they mitigate that kind of activity without logging basic metadata like the IP address that published a package? Also, as a user of PyPi, wouldn't you prefer that a malicious package is at least _somewhat_ traceable to an attacker? Of course most would be behind a VPN but it's better than nothing (or maybe it's not, depending on the tradeoff).
Note that the blog post doesn't say they handed the entire database over to the feds. They received three warrants scoped to specific packages and returned only the data they had available that was associated with those packages.
That's also a highly effective mitigation against legitimate users, especially those already disadvantaged everywhere else by a lack of disposable income.
Charging goes well for many online services. Hosted email, hosted VPS, and hosted SaaS are some that come to mind. Apple Store and Google Play charge to host mobile games.
Now they need to subpoena both PyPI and the payment processor. It does slow them down but effectively does nothing to "thwart future subpoenas from the total surveillance state".
Note that the blog post doesn't say they handed the entire database over to the feds. They received three warrants scoped to specific packages and returned only the data they had available that was associated with those packages.