Interesting point.The loading of scripts from non-secure CDNs does seem like a source of concern, although I don't know how we could practically address that without making localhost so cumbersome that it defeats the point of treating it as potentially trustworthy.
(Both Secure or Potentially Trustworthy origins can already POST any data it has to any non-secure endpoint, because Mixed Content checks don't govern navigations.)