People really seem to misunderstand those GDPR privacy banners that are on literally every site (including mine) now. Those aren't about ads, they're about cookies. If your site uses cookies or anything you interfere with uses cookies (every site in existence) you need one.
Yeah. I don't see any way that "use of cookies" would automatically trigger GDPR requirements unless the cookies *identify you to the site* semi- or fully persistently across requests. E.g. simple setting cookies stored client-side like "day or night theme" shouldn't apply.