CBOR and COSE are pretty bad formats. The original "rationale" for CBOR was that messagepack didn't distinguish bytes and strings, which was added around ~2013. Afterwards CBOR was changed up a bit from messagepack and became a decidedly worse format. And COSE just goes against every other principle of well-engineered crypto, but that's not particularly surprising giving it is a JOSE derivative.

A good zero-order classifier for "is this signing format a dumpster fire" is whether the spec mentions canonical encodings.