I disagree. The primary threat model for unencrypted http connections is a MITM attack. A middle box (a proxy or router) modifies the response payload to inject malicious content or modify the content. For an ordinary blog or personal website an attacker can gain compute, violate privacy, acquire a (minor) DDOS source, on the blogs users by injecting a script.
Another type of attack would modify the content of the site to suit the attackers purpose - either to hurt the author and/or their message. Consider the damage an attacker can do if they injected CSAM onto a person's blog. The victim's life would be ruined long before the wheels of justice turned (if they turn at all). The one mitigating factor is that you'd need to have reliable control over a relatively stable middle-box to execute this attack, but that's quite feasible. Last but not least don't underestimate the way software grows. Sooner or later someone is going to implement HTTP basic authentication over plain HTTP and, needless to say, that's a bad idea.
Look, I don't like it either. I remember when you could telnet into a server and interact with it. That was good for pedagogy and building a mental model of the protocol. But we have to deal with how things are, not how we want them to be.
What’s the argument that it can be worse for the author’s privacy?
In general, I think we should encrypt everything. The more encrypted stuff floating around, the less it stands out, and the better for everybody’s privacy. Of course, nowadays encrypted content is quite common. But it didn’t become that way without effort!
Thanks to let's encrypt it's now at least possible to get a valid certificate anonymously, but it's a pain that requires renewal every 60 to 90 days and puts you at their mercy.
If they decide they don't like your brand of free speech it's lights out and they are the only game in town.
Yes, I know you can automate renewal if you have shell access, but you'll probably have to remember to do it manually if you use shared hosting that doesn't provide a cert for you.
That's a lot of work, and a lot of risk, to secure a message that's meant to be publicly broadcast in the first place.
I imagine it to be a bit like encrypting OTA television. Sure, you could stop a pirate broadcast from inpersonating your station by encrypting it, but that's not actually a threat model that applies to normal people most of the time and it makes everything far more complex.
Can your ISP MITM you? Yep, and if they do you should cancel your service then sue them into the ground.
Unfortunately this isn't 1999, and bad actors are everywhere. Even ISPs themselves (cough Comcast) have been injecting unsolicited new code into people's webpages for many years now.
Sometimes a blog post on a plain http web site doesnt need to be encrypted.