Jumping in to clarify my original side note:
I didn’t necessarily mean to suggest that a plain HTTP indicator ought to flag a site as “not secure” per se… but even a non-aggressive/opinionated icon would probably make for better UX overall.
Otherwise, for example, a user looking for some lock icon to ensure their connection is encrypted may conclude that the absence of any such icon indicates the “default” state (i.e. no alerts, warnings, peculiarities, etc.), and that if the site was unencrypted, surely the browser would say so somewhere.
In other words, it would take conscious observation by the user to learn when/why a lock icon is or is not displayed before being able to reliably draw conclusions on the connection state with a simple glance towards the URL bar.