While securing each Web app is an excellent idea, I think it would be useful to provide an option to provide secure transport for all pages including user pages and pages under /var/www/html (the default document root) if that is set to be served as the default rather than plinth.
I see you’ve already noted this in the issue tracker. Sorry for the noise.