Webworker afaik cannot access cookies at all. Even if it did, it wouldn't have access to secure (http-only) cookies.

It does have access to IndexedDB, but so does the potential attacker. I am not aware of any place that the webworker would have access to and the attacker would not.