It's still not the easiest to come up with an attack of consequence against what is basically a static site that is worth an attacker's time. You can draw out scenarios, certainly, but most of them are some combination of "doesn't matter" and "if that's the goal, there's a better and easier way to do it".

I ran on that philosophy for a long time too, but Let's Encrypt tipped the balance for me. When TLS certs cost real money it was easy to decide that the super-marginal security benefits for my minimal readers weren't worth hundreds of my dollars a year. Now it's more on the order of "incidental noise in what it took to set the website up anyhow", so I go for it.