Generally - for your cache-control headers.. if you are not using stale-while-revalidate on your CDN - you are having some of your visitors getting slow responses - when they hit the requests where the max-age TTL is up. I haven't found any downside while using stale-while-revalidate.
Check your HTTP headers - make sure the field vary doesn't contain User-Agent. This is severely impacting your cache efficiently on the CDN. If the vary header contains it - this most likely is coming from a line within your httpd/dispatcher config - remove this exact line from the vhost files: Header append Vary User-Agent env=!dont-vary
Some sites are loading the ContextHub - but are not configuring it - which results in slowing your page rendering in the browser quite a bit. If your site is making a request like /etc/cloudsettings.kernel.js/libs/settings/cloudsettings/legacy/contexthub you are impacted. Please remove the ContextHub from your page template - or configure it correctly with a config in /conf/..
Make sure your sites is delivered with HTTP/2 at least - and not HTTP/1.1 - some folks are running WAF like Incapsula that with default config are making AEM downgrade traffic to HTTP/1.1. Check the WAF settings to end-to-end use HTTP/2.