This is a topic of ongoing debate at M³AAWG (The Messaging, Malware, and Mobile Anti-Abuse Working Group). It's a mess and there are no easy solutions. It sounds like you're doing everything right, but some anti-spam systems are a little too aggressive.
The big issue is that anything you can do can also be done by an abusive marketer or spammer.
The best proposal I've heard is just to put a timer on the action. Add a captcha for users that unsubscribe within 5 minutes of delivery and remove the captcha afterwards. (Do not implement this for your RFC 8058 List-Unsubscribe-Post link.)
My next favorite proposal is to add a canary link to the message. This should be invisible to human readers. If it is followed, it reverts recent click activity from that IP and bans the IP from action triggers for a time.
I like your ideas too, just make sure that if Javascript is disabled, the user can still unsubscribe after a confirmation button click.
There's a part of me (warning, I'm an anti-spam researcher) that wants these false positives. Hopefully that will teach my peers that they're doing such a bad job and that these escalations will keep coming to them. From your perspective, you get to pass the buck (though you will lose a few subscribers in the process).
Spam detection systems must be careful to avoid subscription management links (at least until the bad guys start disguising their payloads as unusbscribe links).
