Why are file URLs marked as not secure while HTTPS URLs are marked as secure in browsers?

The Connection is secure badge is in respect to the information transmitted via the network / internet. As you correctly observed, the file:// protocol uses no network connection, neither a mechanism to secure the same (because there is none), hence the badge absent.

Note that the browser does not label the file:// protocol as insecure. The browser simply has no reason to notify about the presence of security mechanisms that TLS provides.


I think file protocols are more secure than https protocols.

You would be correct, if the file is coming from local storage.

What if you are loading a file from an FTP mount (FTP protocol has no security, even passwords are sent as plain text)? Or from a remote (insecure) service over unencrypted wifi? A consumer access point with an attached drive could be set up like this.

The browser has no way of knowing if any of these connections are in fact secure. And even if it was possible to determine if direct filesystem links were secure, we cannot know if the next step in the chain is.

So, the browser simply doesn't guarantee what it doesn't know.