To clarify: "sessions," which are entirely server-side, "use cookies" to preserve and carry the "session-ID" token. The value of this token is entirely arbitrary,

This makes it sound like this is always the case, which it isn't. The server can also choose to store actual session data in the cookie, and encrypt/sign it to prevent tampering by the client.