Post-hoc tightening the security model of a widely used software system is extremely challenging.

If you want to support as many existing "good" uses as possible, you'll have to design a combinatorial explosion of finicky, oddly-shaped carve-outs.

You can think of this as taking a fractally wrinkled, living sprawling thing and trying to cram it into a new, smaller box. You'll need a very weirdly shaped box to fit it.

Those finicky carve-outs will feel over-complicated and arbitrary, and have tons of extremely detailed new surface area to design.

This is made orders of magnitude harder if the system is based on open standards and you have to coordinate with many other designers.

My heart goes out to the poor folks working on the APIs to deprecate third party cookies.