It's not a matter of user choice, it's a matter of maintenance and product integrity.
User B's privacy is objectively lessened by allowing tracking cookies, but that is their choice. What is out of the user's control is what mullvad chooses to spend their time supporting.
If mullvad allows users to turn off a privacy feature, now that's a permutation they have to test for. It's also an attack vector they've enabled, either through user carelessness or social engineering. Mullvad wants to be able to say "here's a browser, it's 100% private" and not have to say "as long as you do X, and don't do Y, and...". Every other browser already does that.
A possible scenadio might be that one day the user wants to log in to their other fastmail account, which they don't want to be linked to their main one in any way.
User B's privacy is objectively lessened by allowing tracking cookies, but that is their choice. What is out of the user's control is what mullvad chooses to spend their time supporting.
If mullvad allows users to turn off a privacy feature, now that's a permutation they have to test for. It's also an attack vector they've enabled, either through user carelessness or social engineering. Mullvad wants to be able to say "here's a browser, it's 100% private" and not have to say "as long as you do X, and don't do Y, and...". Every other browser already does that.