Salut Christophe !
Disclaimer : I am not a lawyer, nor particularly trained in that field, so I might be wrong. Maybe others have more or different views, so don’t take my words for truth, but as a start of a discussion.
My starting point is that no software is GDPR compliant because ultimately it depends on what YOU do. If you store user data, track them, treat them … YOU need to be compliant, not the software.
At the lowest level, cookies that serve exclusively to make the site work do not need consent. See “Exemptions” : https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies - (most) people are aware that a minimum cookie is needed to make a site work, and that this cookie is not personal, but technical. Here you can assume implicit consent.
So a naked Grav will not require a cookie consent. Things change when you add tracking, user management and processing, but that’s evidently not a Grav functionality, but a business function. And that’s were you need to adapt software and adopt processes to make yourself compliant.