I also contacted RStudio Support directly. This was their response:
"While custom domains are served over http, the shiny application itself is served over https. Custom domains are implemented as http pages that have the https shinyapps.io URL embedded in an iframe, so the app content itself is secure."
For others who were wondering, now you know the answer.