Thankfully the browser and server vendors can do an end-run round this by simply not supporting http2 without encryption. Then no matter what the standard says ordinary users will be protected and it'll be one more reason for sites to move to https everywhere. The article discusses this in TLS mandatory in effect