For obvious reasons (targeting embedded devices with limited flash) it's not the default, but for devices which can support it, HTTPS is easily enabled.

    opkg install wget ca-bundle
    sed -i "s/http/https/" /etc/opkg/distfeeds.conf

Done. And now packages have cryptographic signatures verified and are downloaded over HTTPS.

Are there other things pfSense can offer me? :)

(Thanks for giving me the push, btw)