I hope HTTPS-First mode would become the default, so that the full page warning can finally convince my classmate to adopt HTTPS on their website that "does not contain any private info so it doesn't need encryption".
Is it a web app or just a static site? I still haven't seen a good argument for why static sites (blogs, personal sites, etc. that process no user information) should implement HTTPS.
Excluding things like zero-day exploits, the biggest problem with allowing any unencrypted traffic is cache-poisoning.
This was noticed when a Google engineer went on holiday, and stayed at a hotel with dodgy Wi-Fi that copypasted ad scripts into anything that looked like jQuery. Said engineer realized that his laptop was still getting hit with the hotel's ads for months afterwards, because it had managed to poison one of those "JavaScript CDNs" that a lot of other sites use.
This is, of course, an attack - a hotel that can get an ad script onto arbitrary sites by rewriting one unencrypted request can also add a script that, say, siphons information off of any other site it got included into.
PoisonTap is a particularly good example of how devastating this type of attack can be: https://github.com/samyk/poisontap