For reference, tracked this down as being an issue with the Apache 2.4 which enabled caching of Moodle resources with Cache-Control public directive such as profile pictures, Site logo, etc but by default Apache caches the Set-Cookie Header with those, hence users being kicked out of their session, can be disabled via:
https://httpd.apache.org/docs/2.4/mod/mod_cache.html#cacheignoreheaders
In the end we just fully disabled apache caching as we should properly be thinking that through if we need it, it became enabled as it's a default / poor scoping internally of new Apache config as a combination of app servers being load balanced and reverse proxy setup leading to mod_proxy enabling this type of caching.
https://httpd.apache.org/docs/2.4/mod/mod_cache.html#cacheignoreheaders
In the end we just fully disabled apache caching as we should properly be thinking that through if we need it, it became enabled as it's a default / poor scoping internally of new Apache config as a combination of app servers being load balanced and reverse proxy setup leading to mod_proxy enabling this type of caching.