Actually, I say that, but my devices are all set to auto redirect to HTTPS for any page... if they're just returning HTTP by default without a redirect, yes this is a privacy and security risk.

Without a server side redirect or HSTS it is trivial to own anyone who logs into their account on the same network, plus the ISP and your government have a log of the exact images you viewed.