Replacing it isn’t the problem, buying it is. Yes I’m sure you can find showerheads with illegal flow rates available online, but reputable stores won’t sell anything over 2.5 gpm anywhere in the US, and over 2.0 or 1.8 in the states that have those limits. Amazon won’t ship the higher flow rates into a lower flow rate state.
Amazon does, however, ship showerheads that come with an instruction sheet for how to remove the flow restrictor. (One must only do this to compensate for one's home having low water pressure, of course.)
Note that a restriction on commercial sales still does not make an item itself "illegal".
I'm not trying to ignore the frustrating activation energy of having to spec/get/install your own showerhead rather than automatically having a default you like. But it's clear that amount of market friction here is much less than say, the overt digital authoritarianism currently going on across the whole phone app/software market. And it's important to keep this perspective, lest memes about "illegal showerheads" morph into groupthink that supports different authoritarian movements.
