This topic crops up occasionally. With very few exceptions, all web content sent over the public Internet should be protected with HTTPS. The question isn't Why?, but Why haven't they bothered yet?
There are plenty of reasons to use HTTPS [0] relating to privacy, security, UI, and browser features, and there are virtually no good reasons not to. There are just 2 real exceptions I know of, neither of which apply here:
1. Using unprotected HTTP enables caching. In the context of something like an apt repo, or Steam, this could be a compelling advantage. (apt provides its own checksum-based security, and doesn't really aim for privacy.)
2. Very old smartphones might not support modern TLS. In some parts of the world this can be a real concern. Even here, HTTPS should be offered, just not required.
The thing is, once you man in the middle it, without https, you can serve whatever content you want. It is no longer a page of "text and images", but one with malicious scripts, malicious links, ... you name it.
There are plenty of reasons to use HTTPS [0] relating to privacy, security, UI, and browser features, and there are virtually no good reasons not to. There are just 2 real exceptions I know of, neither of which apply here:
1. Using unprotected HTTP enables caching. In the context of something like an apt repo, or Steam, this could be a compelling advantage. (apt provides its own checksum-based security, and doesn't really aim for privacy.)
2. Very old smartphones might not support modern TLS. In some parts of the world this can be a real concern. Even here, HTTPS should be offered, just not required.
[0] https://news.ycombinator.com/item?id=22147858