Steps to reproduce:
It appears that there is a bug in the visual indication of HTTPS (padlock in location bar) status after a redirect via Location header (within the same origin). A non-HTTPS site continues to have the padlock icon (and certificate info when clicking it), despite the page being served without HTTPS.
The symptom:

A trace of the redirect:

Orion knows the page was served up insecurely (via dev tools):

This redirect takes place without any notable visual warning, and the padlock icon remains. I've only tested it within origin (i.e. where https://auth.dev.<whatever> redirects to http://auth.dev.<whatever>, but I imagine the bug could affect cross-origin redirects.
Expected behavior:
At minimum, the padlock icon should disappear, and whatever icon is used for "insecure site" (in future I guess) should be shown. Given how widespread HTTPS is, that should be safe.
More likely, the padlock icon should disappear, and the user should see a major security error warning to alert them to this downgrade via a redirect?
Safari doesn't have a full-page intersitial, but does spot the issue and alert via the URL bar.

Orion, OS version; hardware type:
Version 0.99.110-beta (WebKit 613.1.12) on 12.1 release (21C52)