If you have enough access to my device to steal my cookies, couldn't you also just do whatever you wanted to do from my device, rather than taking the cookies to your device and then doing it from there?

I might have access to your device for as long as you have a particular web page open, and want access even after you've closed the tab. So I can escape from a sandbox if I have a suitable exploit, or carry the cookie to a device where I'm outside the sandbox. The latter seems simpler.

This seems like a really obvious idea once it’s described.

Browsers aren’t the only tool that could benefit from this—common exploits for Discord or Outlook rely on bypassing 2FA by stealing tokens.