RBR50 - insecure login

This is correct.  http is "not secure", which is why Orbi will never respond to an http connection from the internet.  If "Remote Management" is activated in the Advanced Setup menu, it opens port 8443 to the internet and waits for an SSL connection attempt.  Residential routers have used http for as long as I can remember, the theory being that someone has to break the WiFi encryption to get inside the network.

If you are concerned that someone can get inside the Orbi LAN and eavesdrop on conversations, then Orbi will respond to https connections from the LAN side. ( https://orbilogin.net)  However, there is a problem with this approach as well.  Last August, Netgear either (a) neglected, or (b) decided not, or (c) were not allowed to renew the SSL certificates for a bunch of URL's, including routerlogin.net, routerlogin.com, orbilogin.com, and orbilogin.net.  With the current firmware release, Netgear has included a "self-signed" security certificate in the Orbi.  Modern browsers complain about this.  (STOP - GO BACK - POTENTIAL RISK - The Sky is Falling).  Buried in the small print is a link to "Go ahead to the site anyway."  If you choose this, then the browser takes you to the Orbi router web interface in an encrypted session.

I have read comments that "these days" it makes no sense for 1,000's of devices spread all around the world to claim that their SSL certificate for something like "routerlogin.net" is valid.  The issue is far more complicated than one might think.

So, (a) you are correct, and (b) there is an (ugly) workaround.