Well, it's not a feature. You can both provide official firmware over HTTPS (or provide checksums for them, or both), and let people flash custom firmware, at the same time.
Maybe what I wanted to express was more like this:
TP-Link has a sloppy attitude towards the security of their stock firmware. It might work, but it is full of security holes. HTTPS and checksums/signatures wouldn't change that.
Maybe they could do everything right with their firmware and provide top notch security and updates. But then their firmware would be a factor for market differentiation and at that point they would be incentivized to put effective code signing schemes in place. Other market players do that. Look at AVM Fritz Box products - nice hardware, security updates for many years and the result is: they are known GPL offenders and have strong code signing in place.
Instead TP-Link delivers you crap firmware on nice and cheap hardware and they don't care what you run on it.