Your statement of "social media doesn't work if you can't log in" is demonstrably untrue. Millions of people watch pre-recorded YouTube videos, Twitch livestreams, Tiktok shorts, music tracks on Spotify/Soundcloud, microblogs on X/Bluesky and many other services without ever logging in to them. People don't have to post, comment nor create content in order to consume it, and there has always been, in aggregate, more silent consumers than contributors.
It's also important to understand how lawmakers define social media, relative to the old school definition of social networking, which is what a technical Internet user typically thinks of when it comes to social media. In Britain, if a service is capable of user-to-user communication, it is treated in law as if it is social media, and if you're able to access *any* content on the service, even without yourself sending any messages to users, you are still making use of a covered service. To ensure that the new, onerous legal requirements don't completely break the Internet, they carved out specific exceptions for email, SMS, RCS and private instant messaging services. They then followed this up by tabling a bill to mandate that smartphones analyse every picture or video ever taken to stop specific types of content from even being created (as part of the Children's Wellbeing and Schools Bill, which also, among other things, appears to be an attempt to implement a framework to implement watershed times in the future for unauthenticated access to online services).
This is why we're seeing companies like Microsoft disabling chat capabilities on video games like Minecraft on the client side, even when the connection is to a LAN-hosted server. It's still user-to-user communication (i.e. social media) and Microsoft's legal team clearly assessed that messing with the game client itself (as opposed to server side code) was the best way to comply. It's why Apple has started forcibly applying client-side filtering on iOS, subject to ID checks in order to allow users to disable them (suffice to say, I'm now using GrapheneOS as my daily driver, my iPhone is relegated to the role of banking).
Regarding what happened with OnlyFans,
you'll see that in the UK, participating customers simply got refunded, the girls in question received counselling (not a punishment) and British parents/grandparents who allowed their IDs to be used (but where there was no evidence of stereotypical child abuse) did not get prosecuted either. OnlyFans guarantees their content is legal, so if there's illegal content which passes their initial manual checks, at that point it's no longer possible to claim the customer should have known. All liability in the equation was taken on by OnlyFans. Parliament even debated the issue, with the result being politicians pointing out that the fault was solely with the Government, not businesses performing the completely ineffective checks they were asked to perform.
Hopefully this explains the point a bit more clearly.