Only CRIME exploit could guess cookie. Attacker don’t need to decipher it, and mess with it. He need to gues it whole, to steal session.
With CRIME exploit this was possible, and encryption done by Rails doesn’t protect from CRIME attack. The only protection was to disable HTTPS compression.
BREACH cannot do this because it targets body compression, so main vulnerability for BREACH is csrf-token placed inside response, which is protected in rails with those xors.