Browsers make an exception for localhost and treat it as a secure context.
It's also possible to get a certificate from a CA using any public IP address, and then reuse that cert for LAN. Certs are bound to domain names, not IP addresses.
Why should an org expose details of private infrastructure publicly? For anyone with more than a few internal tools this becomes untenable or unreasonable quickly and sharing a wildcard cert has diminishing returns as its shared between apps, teams, etc.
