The MDN docs on HTTP cookies state:
A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can't offer real protection.
HTTPS requests have their request bodies and all of their headers encrypted with TLS, including the Set-Cookie:
response header and the Cookie:
request header. This should prevent third parties from reading or tampering with the cookie values.
So why are cookies "inherently insecure"? (Perhaps Mozilla is thinking of someone with access to the user's computer being able to inspect their cookies?)