Default to disabling Auto-fill HTTP (insecure) website password / forms


I believe auto-filling HTTP (insecure) forms should disabled by default with security in mind.

There are substantial security implications to auto-filling website forms (including passwords).

Currently when testing with the built-in LastPass password manager I’m finding that HTTP sites are having their passwords auto-filled.
I assume that it’s the same with the other built-in password managers?

Even auto-filling on a secure website raises questions when the user wishes to remain anonymous / logged out: