FullStory cookies do not include any sensitive information and include only an opaque identifier. The recording script makes an XHR to our server and obtains the proper user ID to store in the cookie for the current user.
Some of our customers have http websites, some have https, and some switch between non-secure http (e.g. marketing page) to secure https (e.g. logged in user). Our goal is to ensure FullStory supports all of these cases and can coalesce a user as they traverse your site. We feel it is important for you to be able to view the full user experience across the non-secure and secure portions of your site. An https-only cookie would prevent you from viewing your customer's entire journey through your site causing you to miss out on some valuable insights.