There's nothing stopping mirror operators from enabling HTTPS. Some of them
actually have done it already:
(and there's more in non-*.debian.org domains)
We should have an official list of HTTPS mirrors, and encourage more operators
to enable it.
On a semi-unrelated note:
Some of ftp*.*.d.o and cdimage.d.o mirrors serve random free (and sometimes
non-free) software that is not Debian[*]. This may mislead inexperienced people
into thinking that this software is endorsed or even produced by Debian. Should
we insist that only Debian is served from these domains?
[*] See e.g.: https://ftp.se.debian.org/