It's because google.com contains very valuable cookies which could be leaked if there was an XSS or something anywhere on the google.com domain.
Thats why things like this (which are often developed by third party contractors, and might not go through the same level of review), are hosted on another domain.
It's a flaw in the web though. A domain should have the ability to host content without that content gaining full control over the secrets/cookies of the hosting domain.
Personally I think they separate them out for branding. Things that are on google.com are flagship products, and getting your thing under google.com means you and/or you're project has a lot of clot at Google.
Httponly wouldnt solve the issue - the serverside code also shouldn't be trusted with such cookies. Cookies aren't the only permission either - Google wouldn't want webcam or audio recording permission to be given to a 'withgoogle' site without the users consent either.
Thats why things like this (which are often developed by third party contractors, and might not go through the same level of review), are hosted on another domain.
It's a flaw in the web though. A domain should have the ability to host content without that content gaining full control over the secrets/cookies of the hosting domain.