Which totally would not have helped in this case: using https would still have left the DB exposed.

It doesn't help the server side data leak but at least you can't connect to it and make it say 'destroy all humans'

That's not necessarily the case. TLS protects the connection, but by default does not provide authentication. I also see a lot of instances where certificate checking has been disabled, so that the client just ignores a MitM attack. So with TLS it would seem more secure at first glance, but given the implementation blunders here I wouldn't expect any real improvement.

Yeah that's true, I'm totally assuming 'competently implemented TLS' when I say it would protect the connection.