With bug 1562881 we have started showing the insecure indicator on all http pages, thus we can remove the logic behind the security.insecure_password.ui.enabled pref that marked pages with login forms as insecure.

So far, Firefox warns blatantly (bug 1555317 comment 28) on http://http-login.badssl.com/ while Chrome merely shows "Not secure" without a broken padlock.
(IMHO) If you switched security.insecure_connection_text.enabled to true at the same time, removal couldn't really be considered as regression as Firefox would still warn a bit stronger than Chrome. But considering bug 1562881 landed in 70, should this rather be done in 71 to boil the frog slowly?

The point is that having any indication of insecure login forms in the identity section comes with a perf hit. Showing the insecure text would be the same thing, just different UI.

I don't think this can be seen as a regression in any case, we're simply removing the explicit mention of login fields from the identity popup, so it's a slight copy change at best. The user has an abundance of warnings about the insecure state of the site, in the identity block, the identity popup and the in-content warning on insecure form fields, so I wouldn't worry about it and just get rid of this.

My mistake, I thought this would remove in-content warnings, too.

I think what's left to do here is to remove all code that sets the loginforms attribute on the identity box, this query should be a relatively complete list of what needs to be removed or modified: https://searchfox.org/mozilla-central/search?q=loginforms&case=false&regexp=false&path=browser%2F

This pref also needs to be removed: https://searchfox.org/mozilla-central/rev/f36cb2af46edd2659f446b7acdb2154e230ee445/browser/app/profile/firefox.js#1369

Depends on D66863

https://hg.mozilla.org/mozilla-central/rev/4340bb31d707