Cross-site/cross-origin data leakage: It should be impossible for a site to use this API to circumvent the same origin policy, 3P cookie policies, etc. (More on this below.)

Often we generate a session on one subdomain and then it will get used/refreshed on another subdomain. Rarely, although this does happen it will be a completely separate eTLD. Third party cookies are basically dead, and we've all but given up on supporting cross-site session like this, but realistically this is a fundamental need we have and right now there doesn't seem to be any solution to this.

At very least our requirement would be that the DBSC public key is consistent across an entire eTLD, and hopefully it would be consistent across the device in some non-linkable/non-trackable way, the proposal doesn't talk about that at all. It does reference that it will talk about this but then says More on this below, but I don't see where there is actually more.