I'd like to expand on this idea, by suggesting that in the case of sites being 'whitelisted' in the site-manifest, that they should only have access to an alternate cookie type, such that they are only accessible via that domain.
i.e. instead of them having access to cookies stored under their own domain (e.g. cookies stored under thirdparty.net) they have access to cookies stored under the scope of the domain of the website in the browser address bar (e.g. cookies stored under thirdparty.net@targetdomain.com).
This would allow the use of third party services, but specifically restrict their usage to the target domain.
i.e. instead of them having access to cookies stored under their own domain (e.g. cookies stored under thirdparty.net) they have access to cookies stored under the scope of the domain of the website in the browser address bar (e.g. cookies stored under thirdparty.net@targetdomain.com).
This would allow the use of third party services, but specifically restrict their usage to the target domain.