This is the screencast they recorded: https://screenshot.click/10-29-0rn45-lhxy2.mp4. It looks like the tester is using an iOS emulator and not actually adding and opening the embedded app within POS as intended, but going to Settings > Apps > and then clicking on the app. Is this something they're supposed to test? Regardless, I can't reproduce this on my iPad, but this also is not how one is actually supposed to add and use an embedded app within POS.
Any idea on what I should do here? I've successfully gone through the app review process before with an embedded POS app where I wrote all of the OAuth + billing checks by hand and got it to pass and never faced any cookie issues (I just grab shop origin using url params and do hmac validation on each request).