what is someone gonna deface the site? how are you gonna tell?

Among other threat models, someone on your network shotgun-injecting malicious JavaScript. Hotels have been known to do basically that to inject ads.

Non-HTTPS doesn't mean "an attacker can modify how the website looks", it means "an attacker can server whatever the heck they want". Ads, malicious JS, or a PDF with a payload that pwns your machine... Neither you nor the "real" server are in control without encryption, a MITM can do anything.

Sometimes you can’t tell if the ”artist” is into “graffiti” or “vandalism”. Or maybe just vandegraaf generators.