You mentioned it, but I want to re-iterate this. The most important part of HTTPS isn’t that it’s hidden from anyone else, it’s that you can prove that data was actually sent by the website you expected, and it wasn’t altered in transit.
With HTTP, someone in-between can change the data, or hijack the whole session and you’ll never know. With HTTPS, anyone in-between must pass along the data (mostly) unaltered (except in very specific situations).
You mentioned it, but I want to re-iterate this. The most important part of HTTPS isn’t that it’s hidden from anyone else, it’s that you can prove that data was actually sent by the website you expected, and it wasn’t altered in transit.
With HTTP, someone in-between can change the data, or hijack the whole session and you’ll never know. With HTTPS, anyone in-between must pass along the data (mostly) unaltered (except in very specific situations).