My understanding of secure flag on HTTP cookies is: it will prevent the client from sending cookie in an HTTP connection, preventing a MITM attacker from grabbing the cookie details.
What if a Web application is running only on HTTPS? Do I still need the secure flag on each HTTP cookie? If so, how would that increase security?
As you already said, a man in the middle could grab the cookie while in http transit when the secure flag is not set.
Note that the secure flag tells the browser to not transmit the cookie when not on a secure connection. So the other way round than what you expected.
Now, even if your website is only running on https, a man in the middle might offer http only, proxying your web application, connecting to it via https.
This way, the cookie will be sent over http whenever a user without https everywhere manually enters the URL, unless you also have the HSTS set.
But even if you have, a man in the middle could remove the header for new visitors on their http service, stealing their cookie. This however is unfortunately true for the secure flag, as well.
So, in a scenario with a man in the middle, setting the secure flag will make it harder for the attacker to gain access to cookies of users, even if your service is only offering https.
What if a Web application is running only on HTTPS?
If the client exclusively connects to the server using HTTPS, the secure flag has no effect. Note that this is independent of what the server does.
If you have full control over the client, such as a phone app or desktop application, you can enforce HTTPS-only connections. In a browser you can enforce HTTPS requests using HSTS.
