At some point I think it will only be fair to require --insecure for #curl to do an unauthenticated protocol transfer (unless it is localhost). For clear text http:// etc.
Discussion
for a second I thought you meant --insecure will prevent the use of Basic Auth and I got scared