The only cookies we set on upload.wikimedia.org responses are GeoIP, WMF-Last-Access, and CP (connection properties). GeoIP and CP are not useful, since they cannot be read by JavaScript code with a different origin.
I am not so sure about WMF-Last-Access. Do we count upload.wikimedia.org requests? (We probably shouldn't, since images can be hotlinked.) We also have to be careful not to trip the X-WMF-NOCOOKIES code for upload.wikimedia.org if we go cookie-less.
WMF-Last-Access doesn't ever set Domain=, so tracking last-access has always been separate per-project/language, and upload would be entirely in its own bin. So at least logically, it shouldn't be a problem. I don't think there would've been any way to usefully use last-access data from upload.wm.o to infer things about other project/domain accesses.
Unique Devices are calculated per project as @BBlack mentioned, in the case of upload.wikimedia.org we neither report pageviews nor unique devices. thus WMF-Last- Access can be removed.
Change 294018 had a related patch set uploaded (by Ori.livneh):
Make upload.wikimedia.org cookie-free
I merged the above, which just un-sets Set-Cookie, but we may want/need to look at this deeper and disabling the setting of the cookies in the first place (for efficiency, and also I'm not 100% sure (esp across varnish3+4) that it will actually unset multiple Set-Cookie).
(also, all the same probably applies to maps.wm.o tile requests (which is almost all requests there, but not the leaflet/css/js fetches?), which could go cookieless as well I think, at least for the common VCL ones like CP/WMF-Last-Access).
Change 341552 had a related patch set uploaded (by ema):
[operations/puppet] cache_upload: test cookie stripping