After following up with our support team they were able to break it down clearly:
Normally auth0.js runs on your domain e.g. contoso.com which is different from the auth0.com domain. So the iframe is created in your app and calling auth0.com which sets a a cookie that’s considered as a third party cookie.
Please let me know if this helps clear things up, thanks!