Greg,
Have you considered that the problem is coming in through http:// (and not https://))
I ran the following reports on GSC Under “URL inspection”, for http://www.XYZ.com and http://XYZ.com (as examples) and as you can see there are referrers who are not mine:
Why / who are these referrers? It being http:// perhaps hackers are exploiting it … how about just shutting down http:// and just leave https:// operational.
Thoughts?