Found out _pk_ref-cookie is not secure, despite setSecureCookies is set. All the other _pk-cookies however are.
A quick look into the javascript code the check for a secure cookie is missing on some other cookies, e. g. CustomDimension, too.
Maybe the check if a cookie needs the secure flag can be moved to the setCookie-function instead of doing it individually for every single cookie.