GDPR has little to do with this

Not at all true, GDPR is the exact reason why you see all of the sites these days letting users know that their site stores cookies and requesting acceptance of it. Hence why I said we, as a global society, are trying to do something about this, even if it’s something as simple as cookie use disclosure on sites – it’s a start.

If you’re fully opting out to not even have persistent sessions, I’m guessing you’re in the far minority of users here.

Never once said I did.

I’m not aware of any non-trivial readily available built-in encryption for cookies.

You’re correct, data-at-rest encryption doesn’t exist for cookies, but data-in-flight does with SSL. Also, signing cookies and samesite origin is a thing being done these days, which makes them quite improbable, if implemented properly, to be hacked for any actual use in terms of leaking logins to said sites.

this is an offline feature. The data doesn’t go back to Microsoft

For the moment, that’s what they say, yes. And that’s the problem, especially since it’s turned on, by default. This – is not – something – Microsoft has earned trust for.

But you are free to believe them all you want – the rest of us who have seen what Microsoft has done these past 40 years use that as a guide to judge – and history is usually a very good judge.