...and its horrendous impact on existing applications and the difficulty it incurs on development (something I've had to face recently as I have been trying to get postMessage to work and can't test it when my wrapper is a localhost proxy server HTTP while the iframe src doing the postMessage call is an HTTPS server already deployed in my QA environment).

The last point is related to the common design failure that trust is as single-valued scalar thing. It has been more any more clear that we and our systems should not just trust things or not trust them, or even to trust them on a scale form 0 to 1. We trust different people for different things. We trust one person for recommendations on food, and another for movies, and to muddle these trusts could be disastrous. Similarly we allow different agents and services and code modules do access different things for different purposes. Our computer systems must reflect and implement that. A https: secure oil/water boundary does not do that. A symptom is that you can never find the perfect place to put that boundary.