KeePass Software Update Mechanism Vulnerable to Man-In-The-Middle

Surprised that such a glaring weakness wasn't fixed long ago. Yes, updates aren't installed automatically and a user still has to manually download and a hacker would need to intercept and send fake meta file.

Nevertheless, why would one download software update information over an unencrypted connection anyway?