I hope you do realize I did not say "all".
Perhaps you're right that my worldview is skewed by the fact that I work on an e-commerce site as my day job.
Anyway, yes, I would pass session ID in the URL (after all, neither cookies contain a cart's contents, just an ID), and would not worry about users. Those using URLs should know what that is, the rest have buttons.
And then you get people who return to the home page by using an in-browser function that deletes everything after the hostname, with the result "I went back to the front page of the store to look for something else to add to the cart. Why was my cart emptied?" Even people who know how a URL is structured don't know which specific query parameter holds the session ID. And even the tinier minority of users who both know how a URL is structured and correctly guess which query parameter is the session ID delete one too many characters from the URL.
Worse yet: "Why did this unauthorized charge appear on my account? I put in my credit card number but decided not to place the order." The answer is that you shared the URI of a product that included your session ID, and someone else completed checkout with your payment credentials.