But it hides the HTTP request itself - Sourceforge hosts thousands of different projects, if served over HTTPS it'd be considerably harder to tell which download had been requested.
Going to the Handbrake site is a good clue (plus seeing a stream of a few MBs), and HTTPS doesn't protect them from knowing that, since they need to be the only site on that IP and/or use SNI, which sends the hostname in plaintext.
It's interesting that this a concern, as this is a greater level of privacy than what we've enjoyed anywhere else. I'm thinking in real world contexts.
