BvBasically a cookie is a really long "password" which you send to the server and the server looks it up, finds you and sends you a response of some sorts. That's how all "keep me logged in" things work in web browsers.
This is only true to an extent. A cookie can have any arbitrary key/value. A cookie is just a place for the browser to store a value associated with a key that is given from a server. You can read and set cookies through JavaScript, which means that yes you can make it do the "keep me logged in", but this involves implimenting a refresh token system, which is a whole other system. A cookie can be useful for storing your credentials when you login (look into "JWT") which encrypts data to a 1-way operation so that you can always validate if a request came from the client and was not tampered with. But like I said, you can put literally anything you want in a cookie, but its ususally used to store your login "session id" or your "token" so then the server can authenticate you upon a request.
To address the rest of the thread / any other information:
Javascript isn't bad, just bad usage of such language.
The only way around this is to never login or touch a page ever. You HAVE to login in order for this type of attack to happen. Another thing, usually OAuth2 will tell you exactly what type of permissions the developer has when accessing your account. Discord does this very well, telling you "This will allow the access of your identification, guilds and email" for example.
Here's an example of OAuth2 "Login through Discord" with Mee6:
https://cdn.discordapp.com/attachments/629450079887163442/782788580900470784/unknown.png
Here's an example of OAuth2 "Login through Steam" with demos.tf (api.demos.tf in this case):
https://cdn.discordapp.com/attachments/629450079887163442/782788815566929950/unknown.png
Cookies aren't the only way a web browser has access to certain key/value pairs. There's also local storage, session storage, and of course a database. Peeking at cookies will not tell you certainly what or where your data went / has gone, but the only trust you have is in the domain you're accessing and the people behind it. Do not assume that just because there's a cookie that you're being hacked either. Cookies, local storage, and session storage all have their pros and cons to web development, and it's entirely up to the developer on how to use these APIs responsibly.
JavaScript, Steam, and any OAuth2 service that is out there are very secure. Logging in does not grant a user the ability to magically change your inventory or change your password without your consent. In addition to that, 2FA would stop anything, and bypassing this is not something that I've never heard happen (especially with a company such as Steam). There's plenty of exploits that I don't know about, however if you're sure that you never provided details (i.e. logging in through what looks like steam but is actually a spoofed website) through any medium and you're sure its fault of Steam, you should probably create a ticket on support, and while you're at it report the user and website you were given.
In addition to any of this, it's very easy to spoof a login website. If you're running chrome and save your steam username/password so you can just click on your account and login and you don't see that when you're trying to access a login page then you're most likely on a spoof site. Look below on details on how to exactly spot one if you're not sure. Again, if you do not trust the website or it's not properly established, then do not risk anything.
TL;DR:
If you log in and you do not see a green padlock (or just a padlock) left of the URL on the top of your screen when on the Steam page to signin, you are getting spoofed. Proof read your URLs before logging in.
Here's a picture of what that would look like:
https://cdn.discordapp.com/attachments/629450079887163442/782788090480951296/unknown.png
That padlock ensures that all your traffic is encrypted (at least between the browser and the server). However, just because this is secure does not mean it's the real Steam server...
Beyond the padlock:
https://cdn.discordapp.com/attachments/629450079887163442/782789923820142593/unknown.png
Clicking that "green" (or white) padlock will bring up connection details on Chrome. You can check who certified that certificate, and for steam, this will always be on behalf of the company (Valve Corp [US]). Company certs are always going to be from the company, as they're expensive and only given to real legal entities.
Hope this answers some questions about how logging in may give details about your profile, as told by a web developer. I do not know everything certainly, but I think I have worked long enough to at least tell people what to look for if you're skeptical.
Just please, don't click links that you've never heard of or "test" the website. You will always certainly not be the first person to fall victim.