giving it a domain-name and serving with https encryption on it would improve all kinds of security.

then again, it feels wonderfully apt that it is on some random ip

Security of what? You're not inputting any data of your own into the site.

Hypothetically speaking, you can still be MitM'ed.

And then what, serve me fake Disco Elysium dialogs? What's the threat model?

Either pick one of the recent JavaScript sandbox escape CVEs on a vulnerable browser, or redirect to your phishing page as to your liking. Again, hypothetical and very unlikely, but the risks are there.

They could do all of this without mitming by just making a submission on HN. The extra step doesn't add anything.

Then why don't they, do you think?

Because it's a made up threat that only exists in your imagination?