That will be lack of HTTPS, yes.
With unencrypted HTTP it's possible for parties between the client and server to monitor and intercept requests - either just to snoop, or to pretend to be your server and return something malicious instead of what was requested.
Examples I'm aware of in the wild:
* operators of public WiFi networks logging users' device info and the pages they visit, then selling the data. (this one also needs encrypted DNS to fix entirely, but browsers are working on that too).
* unscrupulous ISPs (looking at you, Virgin Media) returning fake ad-loaded search pages when DNS lookup fails [i.e. there shouldn't really be a page at the address at all]
* poorly-configured public WiFi enabling other users to interfere with requests, inserting viruses into the response.
* governments (our own, the US and China's among many others) forcing ISPs to let them monitor or interfere with traffic as above.
Chinese entities have repeatedly used a technique called 'BGP hijacking' to redirect traffic between other countries that would never normally pass through China so they can do so.
None of these are possible with HTTPS. The nature of the content you intend to serve is moot because the data is tampered with before you receive it and after you send it back.
The browser vendors and other large companies don't gain at anyone's expense from using HTTPS - in fact as above it makes certain tracking techniques impossible. Certificates are free these days. It's just standard good practice.
I'd also be happy to help with sorting it out, your site's a great resource and it would be a shame to lose it.