With HTTPS, the site author could still do all of that, no? So I’m not convinced this is really that big of a concern on an unknown website that I’m not entering any credentials or personal information on.
That's more of an issue with trusting any website, whereas TLS mitigates the risk of trusting a wifi provider or ISP. I also don't think it's much of a concern for old, infrequently used sites, but I wouldn't trust the competence of a modern website that didn't have a current SSL cert.
the SITE can do that when HTTPS is used, yes, but an unauthorized third party can inject stuff much more easily when it's plain HTTP. A little ARP poisoning and some mitmproxy and before you know it you're injecting malware or whatever
Whether or not that matters when viewing this particular site is up for debate
Yes – into the sandbox of this particular site (and limited to non-HTTPS-mandatory browser APIs at that).
If that's a big threat vector, I feel like the much bigger risk would be visiting malicious sites, not a local or ISP located attacker injecting stuff into benevolent-but-HTTP-only ones.
> limited to non-HTTPS-mandatory browser APIs at that
Another trick that could easily be pulled by a malicious ISP/wifi provider is to insert a redirect into the HTTP page to go to an HTTPS site controlled by the attacker (presumably with some semi-related name so as to not seem suspicious to the user) and to then bypass non-HTTPS restrictions in the browser.