For a largely authenticated site like one that runs Commons, it's always best to use HTTPS to secure all of the user sessions. I'm sure any corporate Intranet will do that and hopefully many community sites will as well.
I know this is not a use case for all Commons sites, so it should not be enabled by default. However, since it is relatively common, we should acknowledge it. But since it requires core patches right now (and the foreseeable future), maybe we should include at least those core patches, so that others do not need to hack Commons core.