Here's a quick primer:
https://ssd.eff.org/en/module/what-encryptionUsing https involves both encryption of in-flight data as well as validating the source using a certificate. Basic TCP/IP and http do not guarantee either. It's been recognized that the certificate infrastructure is, at best, a stop-gap solution that has numerous vulnerabilities, including interference from state actors. Also, it isn't too hard to become a root CA (look up
WoSign for a good example of this going wrong), and the entire certificate signing infrastructure depends on trusting the root CAs. One proposed solution is DNSSEC, but there's a lot of change needed before it becomes widespread enough to make a difference.
One could argue that many 'calls for bullshit' are due to perceived financial gain on the part of the bullshitter (in this case, I assume that's the CAs). If that bothers you, use
LetsEncrypt.
A benign example of how unsecured http can be used is injecting ads into http pages, as is commonly done at airport "free wifi" APs and
shitty hotels. This is, at best, a nuisance, and at worst it can break websites. Far more sinister is being able to inject malicious javascript. While 'man-in-the-middle' sounds like something only a state actor or ISP can do, it's actually quite easy. DNS requests are handled over UDP, so whoever responds quickest to a DNS request 'wins'. I can camp out on your LAN (easy on public APs) and respond to DNS requests for, say, google.com by pointing to myself. I can then read your google cookie (and get the keys to that particular kingdom), inject javascript into the google.com page that I serve to you that can exploit flaws in your browser to grab passwords entered into fields, etc. Also, note that I did not need your browser to send me a password (hashed, salted, spiced, whatever) to do any of this. None of this is possible after google switched to https.
Finally, without encryption, everything is up for grabs by law enforcement. You might say 'I did nothing wrong, I have nothing to worry about', while forgetting about false positives. Most of what law enforcement looks at is through pattern matching, which can get caught up so easily by the wrong keyword. EEVblog does not use https, so all it takes is for someone posting child porn (as happened recently) for everyone on the forum to come to the attention of law enforcement. I can be certain that some server at the NSA has now flagged me for posting this.