Well

Strict

does protect, but it has the oddity of if you click a link from another website when you should be authenticated you're not actually logged in because the cookies aren't sent, so for UX I (personally) wouldn't use that. And

Lax

lets

GET

requests pass the cookie and sometimes I'm dumb and things happen on those requests that I wouldn't necessarily want