For background see:
So, even though I get the “security signalling” padlock badge, my purchases and data cannot be trusted to be sent to a Microsoft IIS web server.
It would be nice to be able to be warned or actively blocked because the connected web server cannot be trusted. Given the above, lack of trust might be the recommended default for IIS.
Of course this could be fine tuned by version, … an out-of-date Apache Web Server might be just as untrusted. Signals of lack-of-maintenance should revoke trust.