As far as I know, this is a valid concern. It’s been asked about before on Meta: Embed YouTube videos with enhanced privacy mode (youtube-nocookie.com). It’s also something that I’ve tried to help site owners with via private support in the past.
There are some details in the link I posted above about the alternate youtube-nocookie.com domain. It would be possible for Discourse Youtube oneboxes to give an option to embed videos from this domain. The response from the Discourse team in that topic indicates why this hasn’t been implemented yet.
It might be worth noting that even with the youtube-nocookie.com domain, Youtube still sets tracking cookies on the browser, it just doesn’t set cookies related to marketing.
Searching the web for examples of sites that have implemented embedded Youtube videos in a GDPR compliant way, the best I’ve found is this: YouTube and Vimeo without Cookies | CookieTractor. It’s from a company that runs a cookie mamagement service, so possibly that biases the article. What’s interesting about it is the Youtube video demo. To try it out, click the page’s “your cookie settings” link and reload the page. It’s worth trying out the three possible cookie options to see how things are handled.
Something similar could be implemented by Discourse. Trying to integrate Discourse with third party cookie management systems is a pain.
Note that I don’t have any strong opinions about this and don’t live in the EU. I’m responding here because I know it’s something that site owners are concerned about and have struggled to implement by using external services.