They abuse the fuck out of their monopoly, basically.
They made changes to limit the usefulness of adblockers (Manifest V3), they tried to force a remote attestation API (WEI API) a few years back that would let them do stuff like fully block users who aren’t running locked-down operating systems from using online banking software or accessing Youtube, they added many chrome-specific web APIs that are extremely helpful for fingerprinting and lock users into the chrome ecosystem, etc.
And if you’re running stock chromium, there’s a fuckton of telemetry calling home to Google servers constantly.








Unless there’s a detail in here that I’m missing, I think what you want is to have your POST endpoint set the cookie on the flask side via response.set_cookie.
Then you can write a @login_required decorator to add to your login-gated routes that confirms the JWT is valid and unexpired.