Why is secure-http set to false in composer.json by default?

QUIQQET sets the secure-http config value in the root composer.json to false by default:
https://dev.quiqqer.com/quiqqer/quiqqer/-/blob/b46bbd72002dbfc3013cc3f5aaacc6afc9c8fc5e/lib/QUI/Package/Manager.php#L471

The default Composer value for this setting is true.

Does composer in QUIQQER really need to download content via plain HTTP by default?

As this could be dangerous, I would not set this to false and have a system administrator change the value manually if he needs to.