The root cause has turned out to be Configuration Manager PowerShell. The cmdlet 'Set-CMSite', when used to make other unrelated changes to a site, will flip this setting at the site level even if no security settings are specified in your code.
For example, the following code causes my test environment to change to using HTTPS.
$site = Get-CMSite | Where sitecode -eq TST Set-CMSite -InputObject $site -GeneralAlertWhenFreeDiskSpaceOnSiteDatabaseIsLow $true
Now, I don't know if there are a particular set of other factors that come into this or not, but I can reproduce this in at least three environemtns now, two at customers, and one is my own lab. It took ages to figure out why these settings would sometimes change.
I hope this helps someone else understand the issue.
Solution? Manually change settings back, but I haven't figured out how to stop this happening if you don't know about it. When you know about the issue, you can include code to stop this happening. Using the same example above, I do this:
$site = Get-CMSite | Where sitecode -eq TST Set-CMSite -InputObject $site -GeneralAlertWhenFreeDiskSpaceOnSiteDatabaseIsLow $true -ClientComputerCommunicationType HTTPSorHTTP
This documentation on TechNet says that '-ClientComputerCommincationType' does not have a default value, so I don't know why this issue exists.