Why not add a new tier to pwas. You need to only use cookies scoped to your own domain, you get a new container without any existing session cookies etc. for other websites, but cors is dropped.
That should prevent carelessly putting auth tokens into cookies and should replace cors in that sensitive sessions are containered away and all existing data for other websites that where slopily created somehow are isolated.

After all for the way wefwef works for example I see no benefit to cors