Added content="block-all-mixed-content" to a CSP for the site, which will keep HTTPS security with some non HTTPS instances.  It shouldnt actually break remote images too badly because the instance should fetch them with SRM anyways.  If it doesnt then that's a plugin defect.