Drupal Association members fund grants that make connections all over the world.
Detailed here why this is important: https://www.owasp.org/index.php/HTTPOnly
The core instances of setcookie() grab the parameters set in php.ini to allow httponly to be set. This is very important in high-profile, production sites. See session.inc, line 348, etc.
Although minor, the instances used in webform should also follow this practice.
Note: httponly was introduced in PHP 5.2, so not sure if that should be a requirement (or already is) for 7.x-3.x.