I believe that it's that site's responsibility to set the cookie's secure attribute. Otherwise I'm surprised nobody mentioned disabling 3rd party cookies as a mitigation on the client side. Using a VPN provider, a VPS or even your self-hosted VPN in your home (your home ISP) is just choosing who you trust.