Lubuntu 20.04 LTS: is http apt transport safe nowadays?
Plain http is safe for apt to download debs from the Ubuntu repositories.
- Debs ARE signed. They have been signed since Ubuntu started. They have been signed by Debian for years before that.
The apt+repository system is designed so that https is not required to ensure safe receipt of original debs from repositories. When the signature does not match the package for any reason, apt throws an error and won't install the package.
- Man-In-The-Middle (MiTM) attacks were considered when the Debian distribution method was created, and that attack vector has been long mitigated using (increasingly long) signatures.
There is certainly nothing wrong with using https, if available. You are welcome to use https sources if you wish.
- Most mirrors are contributed by volunteer organizations, not controlled by Ubuntu or by Canonical. Many serve content as 'archive.ubuntu.com'. That makes SSL/TLS certificate management --and the associated requirement for private key sharing-- a big ugly problem that no volunteer has stepped forward to solve in two decades of Debian-based distros. You are welcome to help solve it.
Naturally, if you can show a successful proof-of-concept MiTM attack against normal apt usage, the Ubuntu Security Team would love to know about your exploit so they can mitigate that.