Does incognito/private browsing prevent XSS attacks?

An XSS attack is not primarily about cookies. It is not about stealing sensitive data either. It is instead about executing attacker-controlled code on the client side within the context of the site you visit. What kind of harm can be done by this code depends on the actual site and context.

Using a private browsing session will not prevent XSS by itself but it might limit the impact of what harm XSS can do - i.e. it has no access to the cookies or other stored data from the non-private browser session. It might though still do harm, but again this depends on the specific context and site you visit.

There are primarily two kinds of XSS-Attacks: Persistent and ad-hoc.

A private Browsing session will protect you from ad-hoc XSS attacks, but not from persistent attacks.

A persistent XSS works by an attacker injecting script-code somewhere into the sensitive page, this could be done by sending you a prepared message on the platform, or by some other means of injecting data into the storage of the sensitive page. When you log into the sensitive page to view some data, the injected data will be loaded by the server and transferred to your browser and will be executed if the site is vulnerable. An example would be a prepared message in an online-banking transaction. The attacker would send you a real transaction and the message-part would contain harmful script. No other page is involved so you cannot protect yourself against this, only the page-owner can.

An ad-hoc XSS can work by getting you to click on a prepared link, which includes injection-data. Such a link could look like<script>doEvil(...)</script> where the injected script is part of the link. The attacker will try to get you to click this link, or will try to execute it in the background via JavaScript from his own prepared page. So if you open E-Mail links and untrusted pages in a separate session, your user-account on the sensitive page will be safe from this kind of attack, since you are not logged in on the sensitive page in the incognito session. So while the XSS might still execute, it cannot do any harm to your own account on the sensitive page, which is what we want to protect.