For cookie containing access_token, setting secure = false, is that bad practice?

I’m using svelte kit JS framework. The auth pattern I have is: the user signs into auth0, the client server then retrieves the access_token, uses jwt to sign it with our private key (still on the server), and sends it to the client as a cookie. The client server then checks for that cookie on every request. The secure flag must be set to false for the cookie to show up on the client side and be accessible with javascript. Is this still secure? It is being signed as a jwt on the server with a private key so I’m thinking that might be fine? Ex.

                jwt.sign(data.access_token, [import private key] ),
                { sameSite: 'lax', httpOnly: true, path: '/', secure: false }


Answered here