Absolutely right. PHP stores serialized session data in a file on the server. Between pages, only the session ID is transmitted and it is transmitted just with the help of cookies. Theoretically, you can steal the session ID, thereby gaining access to session data from another device, but it’s quite easy to make additional protection by linking the session to an IP, for example (store it in the session and check every time if the client’s IP changes, reset the session) or use SSL on your site if there is enough important information on it, in other cases I think you can not bother, but still watch what you do - you make your scripts safe, not PHP.

After some study of this issue, I came to the conclusion that it is quite safe: the file is created on the server, in no way transmitted to the client. Maybe I'm mistaken?

no - you are not mistaken, only the session identifier is transmitted to the client either through COOKIE or through the GET request parameter (if COOKIE is not supported by the client and the corresponding setting is enabled in PHP on the server), so that when the next page is opened, the server understands that this is the same user.
firstly, maybe on the contrary - cookies are turned off in the browser? For as you wrote, the session will simply go through the GET parameter - then everything is normal.
secondly, with what data? if the session mechanism does not work, then there is no data.
If you decide to erase or change the session identifier in the browser, then the data will be stored on the server until they expire (which is indicated in the php session settings).
ps I would advise you to deal with this mechanism. Because Judging by the questions, you did not fully grasp the essence of this all)

the file is created on the server, in no way transmitted to the client. Maybe I'm mistaken?

If your session is stored in files, then you are right. But the session can be stored elsewhere, for example in a database. In general, there is no difference, session data will not be transferred to the client (if you do not transfer them), only the session identifier will go to the client.
How do you organize work with sessions if "the server does not support cookies"? In the general case, client identification occurs as follows: the server receives a session identifier from the client cookie, finds session data from it.