Jenkins plugins seem to be downloaded over plain insecure HTTP, as can be seen in the file https://updates.jenkins.io/current/update-center.json whichJenkins uses to get its initial list of plugins available:

name: "github",
sha1: "ZlQ5HHBUDK7C6fklnspJ1EsFRDU=",
title: "GitHub plugin",
url: "*http://*updates.jenkins-ci.org/download/plugins/github/1.28.1/github.hpi",
version: "1.28.1",
wiki: "https://plugins.jenkins.io/github"

(note that this is the case of all the plugins, not only the Github plugin).

Serving these plugins over HTTPS would be much more secure - in the current setup, an attacker on the network can run a MiTM attack against Jenkins to spoof updates.jenkins-ci.org and distribute malicious plugins.

I was able to confirm this behavior by running the latest version of the Jenkins LTS on Docker and looking at the traffic with Wireshark.