Description
The security issues motivating CSP Cookie Controls (https://www.w3.org/TR/csp-cookies/) still exist. We at a minimum we should list this as a security consideration. In particular, an origin is unable to restrict non-HTTP APIs from setting cookies on a host or domain. While perhaps this is a nice-to-have for hosts (APIs operating in the origin context can do lots of other things), it is a major problem unique to cookies for domains.
A multi-tenant domain (with independent origins under it) has no in-band way to prevent cookies from being set on the entire domain (ie, to restrict cookies to same-site). The only option available there is to put the domain on a public-suffix list which isn't always scale-able or operationally maintainable.
It may also be worth considering a response header that servers could send to constrain all cookies to same-site as part of this, either with "Content-Security-Policy: cookie-scope host" or as a separate response header specific to this use-case. For example, a "Restrict-Cookies" response header with tokens matching the new features of 6265bis (same-site, secure-only, none) that would constrain behaviors of non-HTTP APIs.