Nobody here said it would let them see your authentication details, so I’m not sure why you’re so vigorously fighting that straw man.
Your session ID is stored in a cookie. That is what a website uses to know that you’re logged in. With a XSS attack one can steal your session and use the site as though they were you. So yes - it is “authentication details”.
Nobody here mentioned it because nobody here seems to know what they’re talking about…
Third-party cookies absolutely let them know which other sites you’ve visited. That’s their main purpose.
And they are not stopped by using a separate VM with a web browser. So…
What does that mean? What are you actually trying to do?