RE: A scammer has stolen our PEPT account

Nope, there are no server session cookies involved when credentials are exchanged between a user and a keychain application. These apps are designed to be secure, client-side storage vaults. Keychain is an encrypted database stored locally on your device. When you save a password, the app encrypts it using keys derived from your device's hardware and your passcode. This makes the data incredibly difficult to access without physical access to the device and the correct password or biometric authentication (like Face ID). When an app needs to access a credential, it requests it from the keychain. The operating system handles the entire process locally without sending the data to a server.