Security is very much a case of eating an elephant one bite at a time, and you need to be careful when describing something as secure: you have to be very specific about what it is that’s secure, and against what attackers. What bit of the elephant you’re biting off, sort of thing.

HTTPS is secure in the sense that, when you talk to a website using HTTPS, I can’t eavesdrop on that conversation. Anything running on your computer might be able to see the data before it’s sent, anything running on the website’s servers could potentially read the data after it’s received, the security guarantees are specifically about that step in between.