First, this is a misconception about what HTTP vs HTTPS actually is:
ever since an http site tried to download a virus to my pc
I understand you had a bad experience, but keep in mind, an HTTPS site can equally deliver you malware, with one benefit, it will deliver you malware securely.
i expected it to be on by default in brave, since the brave brand is being privacy focus, which implies stricter security
Again a misunderstanding. For example, did you know most consumer routers you buy in a store, default to only port 80 for configuring them, and only once setup is HTTPS (port 443) usually an option? Some may default to having HTTPS by default, but a lot don’t.
That means, you’d have Brave users complaining they can’t sign into their router since by default port 443 is disabled on the LAN facing side unless enabled. But if Brave enforces HTTPS by default, those users would need to know to turn that off.
That’s what Shields is, that’s keep you safe, along with other features.
HTTPS strict enforcement is an option for a reason, it will break things more than you might realize. Not to mention, there are still honestly websites that simply don’t offer HTTPS, and those would be inaccessible as well.
But most importantly, remember what I said: HTTPS doesn’t magically protect you from viruses. HTTPS only means a server can securely send you a virus. It’s up to the user to still chose not to visit websites that might intentionally try to deliver you harmful content. Why give them your traffic anyway? 
