I would just replace "HTTPS" with "SSH", and see if that statement is still reasonable.
Even though SSH is not perfect when you can't verify the initial connection to a host on a local network, using TELNET instead is not a solution.
I have yet to hear a reason why HTTP is better than self signed and pinned HTTPS; why possibly insecure is worse than insecure.
The only justifications I have heard are UX justifications, and those are really just a critique of the UX, not the protocol.
> Security is done by physical access. Anything else is just extra complexity and points of failure, and if an attacker can get physical access to the LAN cable, he can just as well walk to the machine directly and change the settings on the control panel.
That is an extremely fragile solution.
By default ethernet is very open. It is very easy to bridge it with other devices or routers to announce themselves and start routing. It happens all the time on what are supposed to be closed networks, I've seen it.
And many networks are semi-offline. You may need to have limited internet access. Or the network configuration may change in the future.
