I think https by default would be a wonderful addition. I understand the complexities from the project's perspective. I understand the users wants for privacy. If the project not defaulting to https is that much of a privacy issue for you, set up a local mirror then point your boxes to that. Yes, someone could potentially still snoop your local network. But if they can do that, you've got bigger issues to worry about than the fact that they can see what packages you're installing.

https://www.debian.org/mirror/ftpmirror