It seems this has all disadvantages of jwt-style sessions, plus a BREACH-style vulnerability in the crypto due to compression if `plain-text-cookie-value` contains data an attacker can taint.

Yeah, I'm pretty confused by this being on the front page.

Worse: “SCS doesn't address replay of old cookie values.”

@moderators should probably be marked [2013]

A better title:

RFC 6896 - SCS: KoanLogic's Secure Cookie Sessions for HTTP [2013]

A better better title: RFC 6896 - SCS: KoanLogic's Insecure Cookie Sessions for HTTP [2013]

This doesn't seem to protect from Pass the Cookie attacks.

Edit - it's a common red teaming tactic: https://wunderwuzzi23.github.io/blog/passthecookie.html

Correct, it doesn't. If you grab that cookie and then pass the cookie from somewhere else it will work.

Section 7.2.3 talks about cookie theft.

Yeah, as others have pointed out this RFC is from 2013 - so a bit dated.