On a vanilla MediaWiki 1.29alpha (90f0807) with no extension, when $wgServer has an initial "https://" (instead of "http://" or "//"), I would have expected that it would force MediaWiki to redirect every HTTP requests to HTTPS, and it is what is documented on MediaWiki.org, but it’s not the case for anonymous visitors and logged-in users (although the login page redirects to HTTPS during authentication, but further navigation can be done with HTTP).
When I add $wgSecureLogin = true, the login page is not redirected to HTTPS; it is normal since this setting is only activated when $wgServer is protocol-relative, but the whole feature is anyway defeated in this case.
I observed it first on a production MediaWiki 1.27 and then reproduced it on a vanilla MediaWiki 1.29alpha.
I’m not sure this bug can be qualified as a "security issue", but given I have doubts, I prefer fill it as such, instead of the contrary. Anyway it would be better to fix this bug before T118413 is done.