Given that rfc2616 does not precisely specify what happens on “reload” (it only mentions that the Referer: MUST NOT be sent if the URI is obtained from the source that does not have its own URI), there might be some variability.

However, given that you talk within “security” context, I wonder if maybe you are expecting the Referer: to come when going from HTTPS-accessed page to the HTTP-accessed page and hitting the Reload, section 15.1.3 has a specific mention of this:

Clients SHOULD NOT include a Referer header field in a (non-secure)
HTTP request if the referring page was transferred with a secure
protocol.

I would not trust the Referer: from the security point of view. First, because the standard itself mentions that this is supposed to be adjustable (rfc2616, page 151):

The information sent in the From field might conflict with the user's
privacy interests or their site's security policy, and hence it
SHOULD NOT be transmitted without the user being able to disable,
enable, and modify the contents of the field. The user MUST be able
to set the contents of this field within a user preference or
application defaults configuration.

Second, from a practical angle, the control to tinker with this field e.g. for Firefox is in about:config, network.http.sendRefererHeader, documented e.g. at here.

And if one wants to send arbitrary referer header, then “more work” is merely a matter of downloading and starting curl with the option to set the referer to whatever they please. (–referer <URL>). So, trying to use it in any kind of security-like processing is a weak idea.