Because if you try to transparently circumvent the law like that, the EU can whack you with a giant fine. This isn’t kids playing hide and seek, trying to rules-lawyer actual lawyers tends to really piss them off.

The law says they can’t. 

Is there anything physically stopping them from breaking the law and doing it anyway? No, of course not.

If you operate business in the EU, you would be violating their laws and could face legal consequences. If you’re a small site that really only deals with US clients, yes the EU could complain that EU citizens are visiting your site but probably not worth the hassle. If Apple/Amazon/Facebook/Google/MIcrosoft did it… you can be sure the EU would be handing out fines.

tl;dr; sites can categorize cookies however they deem reasonable with no impact of how those cookies function on the site. So, there is nothing functionally different between categorizing a strictly necessary cookie and any other cookie you accept/reject. Strictly necessary cookies can absolutely be used the same way as advertising cookies.

I work extensively in this field.
When you’re interacting with CMP on the screen (cookie management platform; the Accept/Reject All banner), you are accepting/rejecting specific cookies that have been categorized by organization that has implemented the CMP. Those categories are usually the defaults (i.e. Strictly Necessary, Functional, Analytics, Advertising) but the organization has the ability to create their own categories. And they, themselves, categorize their *known* cookies in each of those categories.

So they may know about a google analytics cookie (_ga is a common one) and they have the power to categorize that cookie as a functional cookie or an analytics cookie. Functionally, that cookie is there to store who you are for tracking you between page views and send that data to their Google Analytics accounts. But how it was categorized does nothing to the actual cookie itself. Meaning, from your original question, all cookies will be used how they were intended. How the company categorized them does absolutely nothing to their functionality. It’s all for the legal need to get your users to consent to those cookies.

Not-so-fun fact, most US based customers are tracked even after rejecting cookies. This is because the US has no laws to enforce most of this. California has CPRA (upgrade to CCPA) that is enforceable to California residence, but even that law has almost no teeth. And it states you can track users by default until they tell you not to. GDPR (European privacy law) is *far* superior in this case. It says that companies cannot track you until you give them permission you can. ***Meaning*** if you’re a US resident and visit a site and THEN click the reject all button, they’ve already set cookies on your browser. You’ve already been tracked. They can’t further track you and share your data. But the deed is done. The cookies are there. They can wipe ones the site has ability to wipe, but many 3rd party cookies (your classic Facebook, Google Ads, etc. cookies) will still be in the browser and will share your browser session when it next makes requests to those platforms.

You’re sort of asking two different questions, so let me break it down.

Technically speaking, you absolutely could do this.

Should you? No.

All these files are visible to anyone that knows where to look. There are organizations that spend tons of time and resources categorizing cookies and what they do (because this helps other companies group those cookies into the categories required by GDPR and CCPA and other laws). At some point, somebody will notice what you’re doing and that is unlikely to go well for you.

Strictly necessary cookies will be restricted to the same site you got them from. The browser will not add them to a request to another site. So you can’t use them to track somebody.