When having cookies disabled in the Matomo configuration variable, and even when in privacy anonoymisation settings cookies are force disabled, then Matomo JS tracker will still create a cookie and then delete it again right away.
This is because
setVisitorCookie is called in https://github.com/matomo-org/matomo/blob/4.4.1/js/piwik.js#L4830 before any other plugins etc can disable it.
And because tag manager does
new Tracker(url, idsite) it already has the idsite at time of tracker instance creation and therefore it does set a cookie in https://github.com/matomo-org/matomo/blob/f57a5313f7923c60e55c2b101351bccaae287330/js/piwik.js#L3341 which is then deleted again.
The problem is when clicking eg in Chrome on the SSL certificate and then Cookies then this cookie still appears there and it looks to visitors as if cookies were used.
There used to be this fix for it in Tag Manager: https://github.com/matomo-org/tag-manager/pull/158
We then believed this temporary workaround was no longer needed as not having the idSite in constructor can cause other side effects. It looks like it is still an issue though. In https://github.com/matomo-org/tag-manager/pull/261 we changed it back and thought it was working now but it isn't.
Maybe a workaround to fix this issue could be to call the visitor cookie method around here https://github.com/matomo-org/matomo/blob/f57a5313f7923c60e55c2b101351bccaae287330/js/piwik.js#L6938 after triggering the
To reproduce this create a new tracker instance where you create a URL and idSite.
we should comment in https://forum.matomo.org/t/force-tracking-without-cookies-and-disable-cookies-not-working/42563/12 once fixed