More to the point
It is technically impossible to have a valid cert for 10.0.0.0/8, 192.168.0.0/16 or 172.16.0.0/12 IP addresses, and the same with *.local.
Or rather, any CA that issued one would be quickly blacklisted.
So Intranet sites and dynamic hosts on private networks simply cannot be TLS without raising the "Its dangerous to go here" warning, unless they buy a public domain purely for internal use - and risk accidentally spilling it outside their walls.