Sometimes I get insecure content warnings for the favicon on *.gnome.org. Sometimes I don't. I haven't investigated yet but a reasonable guess is that the favicon is checked to be mixed content only when first downloaded, and the result is never stored to be used on subsequent loads from the cache, similar to bug #138127.
If we fix bug #219396, then we can close this issue as obsolete because the favicon cache should never contain insecure content.