The way cookie headers work is a cookie is set for a domain, example.com, [insert actual data] then it cannot be accessed from cookie.io or subdomain.cookie.com, but if we are setting a cookie in subdomain.example.com it will be sent to example.com
So for example, if there is a cookie session, and subdomain also creates a cookie _sessoion=SOMETHINGRANDOM, then when someone opens example.com this cookie will also be sent and would cause an issue and may cause a logout of the user.
This is called cookie tossing.
Due to the cookie tossing issue, we must validate if we want untrusted people to host JS code on our subdomain.
Read Next: https://en.wikipedia.org/wiki/Clickjacking