I get why they do it, but that means if you self host a web service, you have to choose A: centralization through domains+certs, or B: entirely vulnerable content (serve everything over unencrypted http). Option B is obvious a no-go.
Oddly enough Brave seems to be leading the charge in that regard. They just added IPFS integration. If you use a local node instead of a gateway, it loads the content in a weird mixed mode. You can access crypto *and* make insecure page requests.
Still, that might actually be a bug in Brave. And it has other downsides. Although crypto is enabled, other permissioned resources aren't, like audio/video. Which coincidentally was exactly what I needed it for.
I've really gone out of my way to avoid using a domain. I want to know how P2P browser apps can work in practice. But I'm not seeing a good method yet.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.