is this just a loophole to be able to force certain cookies on us anyway?

Absolutely. The phrase itself is a weasel phrase expressing that they're legitimately interested in giving you tons of malware to increase their profit potential but trying to trick you into thinking it means that the purposes of that malware are more legitimate than that which is easier to refuse.

Most of them won't even give you the option to reject it like othercookies, only letting you "object" to the fact that you're getting it whether you want to or not.

It's infuriating and should be illegal for sure.

I love that it implies that they also have illegitimate interests that they'll still try to weasel in because 🤷💩

The legitimate interest section often has a clause like "improving user experience" and "statistical analysis".

Those are basically tracking cookies.

The legal definition in the GDPR is:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The European Commission has a page expanding on it.

As you can see it's very vague, and it will probably take several court cases to define the boundaries.

Edit: there's currently a request to ECJ from a Dutch court to define the main boundaries (Case C-621/22) and there was already another (c13/16) setting some limits.

Big companies are not to be trusted. That has never changed and probably never will. So yes, this is definitely a loophole that is probably exploited a lot.

And as is so often the case - as annoying as it is - anyone with enough knowledge bypasses all this crap.

In this particular case: an add-on that automatically accepts all cookies and one that automatically deletes all cookies after closing the tab or browser, excluding a defined list of exceptions and specific rules defined therein. I don't need to mention adblockers and DNS obfuscators; everyone with half a brain uses them anyway. The same applies to mobile browsers. Firefox is currently still one of the last remaining defenders against the Chrome epidemic (it has unfortunately lost in the iPhone world due to technical K.O. ).

Legitimate interest is the phrasing used by the legislation, which is why companies use it. The wording of the law is pretty lax so a lot of companies put whatever they want in there. I think the intent of the law is to have those cookies be the kind that the website needs to work. For example, they might use that to store which cookies you chose to enable. If you don't want analytics cookies, the site would make a note of that in those necessary cookies.

Personally, I have my browser set up to clear cookies when I close it, and I have a few sites set up as exceptions.

There is necessary data processing. This is like the server knowing your IP address. Whilst the IP is personal data, it is required for network communication to work, and the server needs to know where to send the packets. But it doesn't necessarily need to be stored.

Legitimate interests are legit things like security and fraud.
With the IP example, this could be storing your IP address along with some server metrics for a few hours to make sure you aren't trying to DDOS the server. This is a legitimate interest that doesn't need consent, as it is protecting company assets.
Similar with fraud.

Legitimate interests that don't ask for consent have to be backed up in the privacy policy. And because it's all wishy washy wording, the privacy policy can be challenged. So it's a barrier of entry to stop companies making everything legitimate interests.

Where it gets funky are things like targeted ads, 3rd party ad companies etc.
An ad company's legitimate interests are at odd with the end user, indeed their whole business model is at odds with the end user.
They have similar concerns about security as above.
However, their product is delivering ads to users, proving they have been delivered, and proving that the delivered ad has influenced the users behaviour. That is their ideal business model.
So, whilst processing your IP for DDOS protection, they might also tack on some log monitoring to see if "ad on Y page made you visit Z store page".
This is using data already collected for a legitimate interest (DDOS protection), however it is processing it to track a user.... Which is also the company's legitimate interest, however it will likely be challenged. At which point, it's easier to have a consent option for the extra processing and save the hassle of having to legally defend the process.

Essentially, legitimate interests are processing user data.
They may be beyond the core functionality of the actual website/app (eg fraud prevention, DDOS protection), but required for the company to run the website/app. At which point they don't need consent, as long as their privacy policy is up to scratch.
Or they could be extra functionality that isn't actually required (like the log processing by an ad company) to serve the content, but might improve the experience (or generate the company more money)

How this all boils down in the wild is that a lot of tracking and processing still happens, consent popups have dark-pattern UIs with complex language hiding what it really means backed by a privacy policy full of legalese. A lot of these sites are probably still in breach of GDPR, but it's hard to prove and hard to prosecute.
Most of the time, if a website makes an effort it's enough. It's only the big companies/processors that really need to be on the ball with it.