You might notice that when we export the JSON-LD we generate links to schema.org with http not https (secure). The schema.org team has transitioned their site to https for security and search ranking reasons, but this does not require schema markup to use https links.
You can test this by clicking a link with http and it will simply redirect to the https version. Additionally http is still supported by Google tools and still used in Schema.org JSON-LD examples. These urls are in place to uniquely identify a term and do not process payment or other secure content, therefore the extra security is not required. If you're worried about your own site, our code won't have an effect on your site security. This is because the script blocks inserted are type="application/ld+json" which causes the browser to treat it as a datablock, not as executing code. Finally, schema.org notes that both will "remain widely understood for the foreseeable future".
For more information see: https://schema.org/docs/faq.html#19 and https://github.com/schemaorg/schemaorg/issues/2018