Define httpsb:// do be like https://, but any site may make ajax and similar requests to it (without credentials). Then make some kind of exception (like csrf protection), or use legacy https, in case you need to send cookies.
If the site wants to access google.com with its own cookies, fine, why not?
Cookies are sent only to the origin that set them and (except XSS attacks) are not revealed to anyone else. So who exactly is stealing them?
If you want web-applications to be powerful, and open, you also need to be able to have any web application to access any URL.
Why should only mail.google.com be able to access my emails, and not also my-little-opensource-webmail.com ?
To faciliate that, without also adding cookie stealing back in, you need to allow any website to open standard TCP sockets.
From your professional experience you can probably tell people would rather have slightly insecure site that works and gives profits rather than broken one because SOTA started including some new feature you didn't know...
People would rather enable these individual headers one by one and see their effect. In h2 headers are compressed so it's not a big deal (besides looking ugly).
if you sign for 2 versions, changes in 3 would not brake you. and the point is MANY things right now could be safe to turn on for 99.99%, e.g. XFO. So, not much effort