* Some functionality is off-limits for sites loaded via HTTP. (Another commenter mentioned clipboard access.)

* Browsers will display annoying warning symbols whenever you try to access sites via HTTP.

* If you live in a shared living space such as an apartment you probably don't have control over your home network.

* Even if you have control over your network, a single compromised IoT device is enough to sniff your internal network traffic, assuming WPA2. (Probably not super likely tbh.)

>What is the threat model in which an attacker could MitM your internal network?

Police raid on your home/company. Malware on a router. Malicious actor in the server room. Possibilities are endless.

SSL added and removed here ;-)

(this is a reference, look it up if you don't recognize it)

Router malware is the one thing out of those thing that seem plausible.

If you have physical access, TLS isn't much protection against eavesdropping. At that point they can just compromise your hardware instead.

> Malware on a router.

It doesn't even have to be on the router, just the same network segment plus some ARP spoofing tricks (assuming your switch doesn't have ARP spoofing protections or they haven't been enabled) could be enough to MitM a connection.

I travel between networks with my phone and laptop. Software will ping out using whichever network I'm on, trying to connect to its backend. If I connect to hostile/compromised WiFi, those connections are at risk.

Can't any client on the same wifi read your traffic by just putting their wifi card into promiscuous mode? Obviously depends on who uses your wifi and your threat model, but that seems like a problem.

Yes, on WPA2. WPA3 introduced per-client encryption keys.

On use-case I hit just recently is web apps hosted in my internal network, without https, Firefox won't allow me to click the "copy to clipboard" buttons on those pages