In regards to point number 2: the Name Constraints extension[1] appears to be getting more support, at least in Chrome and Firefox on non-OSX devices[2], which could help mitigate the very serious vulnerability presented by installing root certificates, by limiting the CAs scope to just the company domain, for example.
The point is, with a customized TLD, we don't need HTTPS traffic of videos in a LAN. Serving whatever content we embed in a HTTPS page should be a constitutional right.
A custom tld is only custom until it's not (see .dev, .corp), and using them for intranet purposes is widely regarded as bad practice.
If you're already serving regular content over HTTPS internally, then I don't see the big issue in serving video and images the same way, but I'm not familiar with your particular use case so you may of course have a point here that I'm ignorant of.