Ideally, the web is a fabulous location-destroying architecture. The common protocol for both communications and content rendering really flattened the universe of data sources; doesn't matter if you're on CNN, Fox, Wikipedia, Google, or Hacker News, they all "feel" the same. Common top-level UX metaphor (underneath which customizations can be built), common language under-the-hood; the web really became a sort of global operating system for transactional communications.

In practice, letting arbitrary actors run arbitrary code on your machine at the speed of the web can be arbitrarily bad, so we tacked on a permissions architecture based on data source (delegating to the domain name service plus secret certificates to tell us who the data source is). And because the proper level of paranoia for strangers online is "zero trust by default," every domain you visit is a new trust relationship with its own security story to wrangle.

So these two features (flat experience where domain doesn't matter and zero-trust security model where domain matters a bunch) are directly at odds with each other. Sucks but it's the best we've got right now (how to improve? Hypothetically, we could add a meta-trust layer... "Here's an allow-list of sites that are trusted, so sayeth Goodsites.com". But nobody's written that spec yet).

GDPR-compliant cookies, as a concrete example, are a huge pain-in-the-ass because we retrofitted them onto site internal code itself instead of adding the concept of "required" vs "optional" cookies to the cookie jar design, which would have allowed user agents to put optional cookies behind a trust barrier like your microphone or video. But cookies are a legacy web feature and making changes to the implementation is hard (and, of course, there's the human element... I'm not 100% sure the people who hold the reigns of the W3C are on the same page with the people who hold the power to create and enforce the GDPR vis-a-vis goals).