You misunderstood the mechanism - the Google Analytics script receives keywords, etc. from the link URL (the click URL on the search results page contains a lot of information, like the keyword and the position of the search result in serp).
The analytics script extracts information from the referrer and (besides sending it to google) stores it in a cookie (in fact, the new universal analytics does not do this anymore). But this happens in your own domain.
Google Analytics can set cookies for your domain, because by inserting their javascript code on your website, you basically gave them the city key - Google can write and read cookies, they can - and do - load other scripts, they can steal sessions, deactivate your site, etc. Not that Google has ever done this, but if you go beyond world domination, you should start by hacking into servers that supply javascript code for analytics.
However, Google cannot set the first cookie from the google domain, and they do not need it. All this at the reference address.