Our current strategy for varying the cache on cookie values is to check the cookie header for specific cookies which we know are significant to the final output. When the cookie header contains a cache-relevant cookie, we treat the request as un-cacheable.
On desktop, only token or session cookies are considered relevant. We explicitly don't want to cache logged-in page views, so this is OK.
On mobile, the situation is different. We have two additional cache-relevant cookies — disableImages and optin. Both of these have a small set of possible values (disableImages may be "1" or blank; optin may be "alpha", "beta" or "stable"). Both of these cookies represent preferences that can be set by anonymous users. Anon requests that have one or both of these cookies set can and should enjoy a high cache hit-rate, but at the moment they bypass the cache entirely. This is especially regrettable in the case of disableImages, which is presumably set by bandwidth- and latency-conscious users.
The way we handle these cookies (and soon also the NetSpeed cookie, proposed in T119797) should be different from the way we handle session and token cookies. Requests which set one or more of these cookies should be looked up in the cache.