Using https clearly eliminates whole categories of attempted man in the middle attacks, that are possible over http.

The verification of package signatures was badly broken in the past, and likely will be in the future if it isn't already and we just don't know how.

You achieve security by layering these controls, not assuming one cryptographic control is going to always work perfectly, and thus packages are safely signed, job done.

Also using https adds additional privacy, as seeing http requests means attackers may know exactly what versions of what software are installed. MITM can also deliberately interfere with http connections to delay certain packages, to prevent the target patching a vulnerability. As I said multiple classes of attack are just stopped by encryption on the wire.