You will see that you are logged in as yourself if you access any wordpress.com website, your session is shared with all blogs. It allows you to post comments as yourself without captcha for example.
Historically wordpress controls the entire platform. It notably doesn't allow users to post raw HTML or any javascript, or load any wordpress plugins. There is only a basic text editor to write blog articles. As a customer you wouldn't be able to intercept cookies because you don't have any control on your site (you can't even load javascript for google or amazon ads which is super annoying).
They've added some plugin support in the past year and few other things, so this might have opened some unnoticed loopholes. Notwithstanding any novelty, wordpress is locked really tight and designed with this in mind, it's safe.
