It's funny to see that now...
since the certificate system of TLS has been largely compromised to a point where some countries and companies MITM every connection, Google decides that HTTP is insecure.
I mean we are long past the time when a passive attacker was a realistic scenario (unless you are at a penny pinching cable ISP). If you want to track a user today, you use one of the many ad-services to do so.
If Google had security in mind, they'd warn about websites using Javascript. Particularly when those scripts are loaded from external servers. They would gradually work on reducing the numbers of features webbrowsers need to implement to make web browsers smaller and therefore more secure.
We now are at a point when browsers are the most complex single pieces of software a regular person comes into contact with. We now are at a point where TLS, the protocol that is supposed to save us all, is so complex that there's just a handfull of implementations around.
This is not a healthy situation.