stealing authentication cookie with fetch request contains credentials: include

Question

Let\'s assume I implement my authentication by http-only & secure cookie. At first glance it should protect from stealing this cookie if an attacker got access to my site th