Most groups just evaluate based on the information it has as part of executing request. So yes ones that are based on being a logged in customer are based on the authentication cookie and being able to load the customer context but other don't. There's a list of cookies required here https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/cookie-usage . Number of visits VG is the main one that needs an extra cookie

I exchanged a few emails with Optimizely Support about this topic. In case this can be useful for anyone, I'm sharing here their latest answer:

I have been doing a review of some source code, and I can see that some visitor group criteria does explicitly depend on session state informaiton. I can confirm that the Referer, SearchWord, StartUrl, UriSessionStart, ViewedCategories, and ViewedPages criteria should not work when cookies are disabled. Since the visitor groups are not designed or tested to be able to be used while cookies are disabled or the "Do not track" setting is implemented I would not be able to say that any would be expected to work. Moving forward I would recommend testing on the site to see if any of them do work while the cookies are disabled if there are concerns from your team.
 
Many sites often have a popup message that indicates that the site is designed to use personalized content, so a similar message may be desirable for this client if discounts are going to be served through personalized content.