Well, it's hard to prove the absence of a negative - I think that it's on the people claiming harm to provide some examples. However, I'm not even sure what a cookie data leak would look like. The large advertising brokers are handling petabytes of cookie tracking data per day. To gain any insight out of it you need to run jobs on giant clusters. The volume of the data makes it basically impossible to exfiltrate. So yeah, I'm pretty confident in this statement.
> The large advertising brokers are handling petabytes of cookie tracking data per day.
Citation needed.
Also, you don't need a copy of every single byte that a tracking company collects; summaries are more than enough to be useful to track individuals across the internet.
> The volume of the data makes it basically impossible to exfiltrate.
An attacker doesn't need to try to exfiltrate a large fraction of collected data; only the data that's likely to be interesting to them.
See Facebook/Cambridge Analytica [1] for an example of just how incompetent a technically-sophisticated company can be when it comes to protecting their users' (and their own!) data from potential adversaries.
[1] In particular, the comments from Alex Stamos, the CSO who said “We have the threat profile of a [...] defense contractor, but we run our corporate networks [...] like a college campus" (from https://www.cnbc.com/2017/10/19/facebook-security-chief-alex... )
