I think I’m kind of on your side in general, but I have more of the opposite feeling about legal versus technical solutions. If we had no idiotic EU cookie laws, no “consent” bs required, a technical solution would be easy: default segmentation of cookies by what site you are actually visiting, plus all non-first-party ones silently expired after 60 minutes or whatever. It seems like this would be very easy, except for the fact that the number one ad network is also the only browser vendor that matters.

But the attempted legal solutions suffer from being inside the sandbox, meaning all the “cookie management” software is a pile of hacks that barely work, and rely on browsers, as you’ve noticed, to allow their cookies in the service of…limiting cookies. And of course they also suffer from the politicians who wrote them having no clue how any of this works. I suspect if they did, they’d see how dumb it is to regulate that 10,000,000 websites each implement a ton of logic to self-limit their cookies they set (hard to police, buggy) instead of telling 2-3 companies they have to make their browsers have more conservative defaults with how they keep and send cookies back. (easy to prove it’s working with testing).