>>2Say you have a xss. The "best" you can do I think is silently insert a script to keylog an user's input. This is better than stealing cookies, because their logins might be cross-tested on different sites and applications and pass, meaning you can get logins to many different things like social media and even bank accounts, if you get an email and password that they use for everything. (A "master key".)
You can even force them out of the website (they'll think it's a bug) so they have to login again. You log them off without changing the page, just by manipulating html elements, then insert an event listener on the input elements you've created or exposed, in such a way that they think the webpage is behaving normally and some sort of regular fault got them off of the service.