Right now when a user logs out of MediaWiki, a significant amount of state can stay behind spanning both the logged-in and logged-out browsing session, which is likely unexpected from a user perspective.
While we take care to expire the PHP session data, and PHP session cookie on the client. Other cookies (session-bound or otherwise), and all browser storage (sessionStorage and localStorage) remain.
The session-bound cookies and sessionStorage values should be cleared if the user remembers to properly close all windows and quit the browser. But even then other storage remains.
And more likely, a user may close the browser in its entirety, in which case most modern browsers are helpful enough to save it anyway and offer to restore the session upon re-opening of the browser.
Logging-out is the key user interaction here that we should use to clear everything else.
This could be taken care of by loading some JavaScript code on the page in response to the POST request after a successful log-out.
In addition, we can use the Clear-Site-Data header which can help clear additional things in supported browsers (such as HTTP caches).
Clear Site Data (W3C specification)
https://www.w3.org/TR/clear-site-data/