Do you think using HTTPS makes security worse?
No idea whether I qualify as a "security expert" but as someone who has
spent a fair amount of time working in security, my concern is making
advice simple enough for people to follow. Complicated, conditional, or
inconsistent advice means you lose people who decide this is all too hard
to understand and just do nothing.
"Use HTTPS everywhere that supports it" is simple and actionable advice
for the average person that will make them more secure. There are
applications and sites where HTTPS doesn't really help, but other than
some unusual performance edge cases that are pretty rare in practice, it
doesn't hurt. It's not magic fairy dust, but it does raise the bar
against a set of attacks, provides some additional privacy against casual
non-targeted snooping, and is a better default than not using TLS.
Personally, I think we should switch our default to HTTPS not because we
have a specific security flaw in mind against which HTTPS provides some
protection but because it's consistent with the general message that a lot
of us (including, for example, the EFF and the IETF) are trying to send to
average users who don't have the expertise to analyze any of this: use TLS
by default wherever you can. It's not a panacea, but ubiquitous, default
use of TLS helps both your security and your privacy compared to either
the previous default of no TLS or spending a bunch of mental energy
picking and choosing.