When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.

Ask Yourself Whether

the cookie is for instance a session-cookie not designed to be sent over non-HTTPS communication.
it’s not sure that the website contains mixed content or not (ie HTTPS everywhere or not)

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to use HTTPs everywhere so setting the secure flag to true should be the default behaviour when creating cookies.
Set the secure flag to true for session-cookies.

Sensitive Code Example

Using Flask:

from flask import Response

@app.route('/')
def index():
    response = Response()
    response.set_cookie('key', 'value')  # Sensitive
    return response

Using FastAPI:

from fastapi import FastAPI, Response

app = FastAPI()

@app.get('/')
async def index(response: Response):
    response.set_cookie('key', 'value')  # Sensitive
    return {"message": "Hello world!"}

Compliant Solution

Using Flask:

from flask import Response

@app.route('/')
def index():
    response = Response()
    response.set_cookie('key', 'value', secure=True)
    return response

Using FastAPI:

from fastapi import FastAPI, Response

app = FastAPI()

@app.get('/')
async def index(response: Response):
    response.set_cookie('key', 'value', secure=True)
    return {"message": "Hello world!"}

See

OWASP - Top 10 2021 Category A4 - Insecure Design
OWASP - Top 10 2021 Category A5 - Security Misconfiguration
OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
CWE - CWE-311 - Missing Encryption of Sensitive Data
CWE - CWE-315 - Cleartext Storage of Sensitive Information in a Cookie
CWE - CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
STIG Viewer - Application Security and Development: V-222576 - The application must set the secure flag on session cookies.