In Proposed Work Item: First-Party Sets @kgrovind discussed the following concern regarding a possible security risk if first parties decide to leverage a shared domain as a result of 3rd party cookie elimination and the resulting side-effects of moving a site between eTLD+1s:

Essentially, forcing all sites to move to subdomains of their parent/owner domains would have, in my example, manifested as flickr.com moving to flickr.yahoo.com, then flickr.verizon.com and subsequently to flickr.smugmug.com. This would train users to stop paying attention to the registrable domain, and focus only on the subdomain. Thus, it would make them susceptible to entering their credentials on mybank.evil.com, because mybank is in the subdomain, and lead the user to think “perhaps mybank was recently acquired by evil.com”?

First party sets provides a good solution to this concern by allowing first parties who might be leveraging some cross-domain functionality to continue to do so without migrating to a shared eTLD+1 domain.

However, the initial proposal seems to suggest shared ownership is a prerequisite for joining a first party set.

First parties who do not share a common owner are equally, if not more incentivized to join together onto a shared eTLD+1 once 3rd party cookies are removed. This has been referred to as the publisher co-op model. Other examples of this might be bankofamerica.com migrating to bankofamerica.zelle.com when managing bank transfers or wapo.com redirecting to wapo.medium.com for access to differentiated monetization.

If we wish to truly offer a workable alternative to eTLD+1 consolidation, and prevent user domain apathy, taking a more pragmatic approach and relaxing the shared owner requirement is needed.

Even with an expanded set of qualified first parties, First Party Sets still provide elevated accountability for websites and their partners, as well as a mechanism for user agents to disqualify sets that don’t meet the standard for conduct within a set.