I'm curious about this myself. Would there be an attack vector?

It seems to me secure localhost would only be needed for developers, and developers should be able to allow a self-signed cert.