* Xiaomi android phones had some kind of analytics APK built in around 2016 that would send a shitload of data over HTTP to their servers, and even would allow downloading emergency updates over HTTP. Their "fix" was to enable HTTPS, but leave the ability to force downloads and continue to run the analytics programs on the phones.

* Their robot vacuum used a password of "robotrock" to encrypt and sign updates.

* Their "yeelight" smart-bulbs were recording audio and sending them back to their servers over HTTP.

* Their "air purifier" also sends analytics and does updates via HTTP without any signatures.

IIRC many of these were fixed at some point, but I know at least once they said (paraphrasing) "we aren't going to fix it because the device isn't capable of HTTPS", but I don't remember which device it was. And it's enough for me to understand that they don't seem to take data privacy and security very seriously at all.