Had to check with Engineering (thanks Peter!) - the 4 cookies you see are:
- One from Bubble to mark the user’s session ID
- One from Bubble with the session signature to prevent tampering
- One from Bubble that tells the browser who the current user is
- One from Cloudflare (link)