Client-side SQL rules. And it's rather useful: Google -- the site recently rated worst major web destination for privacy by Privacy International (rebuttal 1, rebuttal 2) -- has put out Google Gears, a browser extension which lets you use things like Google Reader in an offline mode. Functionality-wise, this seems to work nicely indeed, and I'll try it again as the next couple of flights come up -- reading blogs certainly sounds like good inflight entertainment.
The extension's key additions to today's infrastructure: You can reliably keep both Web applications and significant amounts of data locally, such as the last 2,000 blog posts, and you can talk to that data store in SQL. Applications that can use these facilities have all the abilities that cookies could ever give them, and then some more; cookies simply look boring against this.
It will be interesting to see whether (and how) the community overall takes up the tension between the functionality enabled and the privacy worries caused -- both -- by web applications' ability to link interactions much more reliably than today, and to store larger and more structured amounts of data on the client. The tension is, in fact, non-trivial: On the one hand, reliable client-side persistency clearly enables reliable linking of different interactions. On the other hand, applications could be designed to be more privacy-friendly by actually keeping information on the client, and not transmitting it to the server. If anything, this shows that discussions about privacy online can't be limited to the side-effects of this or that technology, but should actually focus on how the technology (and the data processed) are actually used.
Meanwhile, Opera's Anne van Kesteren points to Erik Arvidsson's blog, which talks about a submission of the interfaces exposed by Google Gears to WHATWG/W3C coming soon. Anne notes the relationship to related work in the HTML5 spec. (W3C's new HTML Working Group took up HTML5 as the basis for discussion with the editors and the WG going forward in May.)
PS: In terms of security models, both the HTML5 and Google Gears work rely on the same-origin policy that's well-known from cookie land.