According to the Hotjar Virtual Assistant (at https://help.hotjar.com/hc/en-us/requests/new):

"A number of our cookies cannot use HTTPOnly flags. This is because they're used to persist information between sessions/pages, so they need to be accessible to Hotjar's client-side code. HTTPOnly makes the cookie values inaccessible to client-side code.

From a security point of view, the risk this produces is that other scripts active within the session can read and modify those cookies.

As these cookies are Hotjar-specific and do not contain PII, there is a very small attack surface in this case - the risk extends to Hotjar's local operability."

Though the aforementioned response does not addresses Hotjar cookies by name on a cookie-by-cookie basis.