Most users don't care about a session cookie or whatever. In fact for some sites / SPAs etc where users are behind NATs are CGNATs they are pretty needed / useful. Or if the website is being hosted behind a load balancer, you can do a sticky session with the cookie, and many more uses.
Session cookies (and other cookie types that are actually necessary for proper site functioning) do not require, and never have required, consent. It's all of the other crap that does.
Again, this illustrates are badly understood and hard GDPR is.
Browser preferences are opt-out currently. ie, users has to go set some flag. The GDPR requires informed affirmative consent.
"Consent must be freely given, specific, informed and unambiguous."
So having a website that track you unless you set some browser flag is not enough. Many folks say that you need specific consent to track. That is why there are so many pop-ups on EU websites.
Anonymized matomo tracking strips parts of ip address - it is not so precise but it does not track you across those sites. So they have some kind of page counter but it is not same as full analytics.
Reality is EU website sets a 13 month cookie, they clearly explain they will track a lot of data about you.
Anyways, some folks here claim that just using things for analytics is NOT an allowed exception to GDPR notice rules. I mention this to just again show that GDRP is not simple (despite claims here that it is "so easy").
https://europa.eu/european-union/index_en
Most users don't care about a session cookie or whatever. In fact for some sites / SPAs etc where users are behind NATs are CGNATs they are pretty needed / useful. Or if the website is being hosted behind a load balancer, you can do a sticky session with the cookie, and many more uses.