> So browers need to know which domain names operate as TLDs. The domain
> name .scheme.org is going to be acting in the same way as a TLD, so e.g.
> mallory.scheme.org will be able to set and read cookies for
> alice.scheme.org, unless something is done about this.

I don't think that Web allow to set cookies for different domains, that is
impossible, there is something called Origin in browser, which is domain +
port + protocol. And only if it's the same cookies are sent. Do you have any
article that will show this is not the case?

I think that the public suffix is only needed for browsers that hide the
part of the URL. I read somewhere that Chrome is considering do that for
instance if page is mallory.scheme.org it will only show scheme.org in
address bar, unless browser is told that scheme.org is like TLD. This is the
only reason I can know of when this is needed.

There are no any security reason why scheme.org would need to be like TLD,
unless you have something that will confirm what you're saying.