I was reading this reddit's thread and this comment caught my interest:-
Chrome and Firefox also consider "*.localhost" as secure so you can deve...
For further actions, you may consider blocking this person and/or reporting abuse
Did some more digging (git blame) and turned out this was added 7 months ago.
github.com/mozilla/gecko-dev/commi...
The context of this commit also interesting as it allow the browser to trust
.localhostas secure origin and you don't need https in local dev for stuff that require https before, such as service workers.