I mean, sure, but if you're sending him a PGP encrypted message, and his public key was messed with, the end result would just be his inability to open the message.
I think his actual point was to try and discredit the messenger.
It does matter. Someone could replace his public key with a fake one. Everything that would be encrypted so that only he could see it could end up in wrong hands, because somebody would trust "I'm encrypting using his public key, I can tell anything to that guy", and the bad guy would read it.
I'm confused how you think transferring the PGP key through secure means would prevent that. It only (mostly) ensures the message you receive is valid.
They could far more easily gain access to his server through a variety of means and upload a different copy of his key than try and do a MITM or whatever. It's not like he's going to notice if the key changes.
What you're proposing is that an intelligence service is going to MITM you and gain access to the journalist's computer or email server to read the messages you may send him? Why? The messages are unencrypted when read on his system and when typed on yours, so there are far easier ways to get at their contents.
Assuming you trust Keybase (or if not fully trust at least consider it part of a more general trust network) then the key can be verified against that. That it's hosted over HTTP or any other protocol is irrelevant if it's also attached to some trust network. You can obtain it, check the fingerprint and/or value against his Keybase information and determine then whether or not you trust the key.