The Great SameSite Confusion
jub0bs.comGreat article all around.
TL;DR: A cross-origin request can still be same site. Also, SameSite cookies do not prevent cookies from being included in malicious requests originating from subdomains because "site" is by definition scheme (e.g., https) plus eTLD+1 (e.g., example.com).
Example: https://subdomain.example.com can submit a malicious POST to https://example.com/delete-account and the user's session cookie would still get included in the request headers. This is why CSRF tokens are commonly employed on top of SameSite cookies as an added layer of protection.