Autofill code does its own check to determine if the context is insecure and credit card autofill should be disabled, e.g. ChromeAutofillClient::IsContextSecure(). [1]

In  issue 652806 , we decided that it would be reasonable for this behavior to match the omnibox, such that credit card autofill is disabled when the omnibox shows Not Secure, the neutral (i), or a Dangerous state. In //chrome, therefore, IsContextSecure() should use SecurityStateTabHelper to compute a SecurityLevel. Other embedders might want to use their version of SecurityStateTabHelper (if they have one) to do the same.

[1] https://cs.chromium.org/chromium/src/chrome/browser/ui/autofill/chrome_autofill_client.cc?l=341