If you use SSL, but do not use HSTS (and no HPKP) you allow an attacker to downgrade to HTTP.
Having SSL, without HSTS, is the same as nothing. You can not connect to HSTS (and neither HKPK), this will break access to the pages in HTTP.
The absence of these features allows HTTPS pages to go to HTTP. The attacker can do this and completely ignore SSL.
If you are loading
img into HTTP and without using SRI and without CSP, you allow the attacker to modify the content. But, this is irrelevant because it can already modify the entire page. Whereas the attacker does some DNS Poisoning or ARP Poisoning, for example.
If you have a secure subdomain, such as
seguro.site.com , you have to insure that it uses HSTS, at a minimum.
This still has other problems. For example, you should enable "secure" in the cookie so that the cookie does not go to the insecure area, and restrict it to the subdomain. Otherwise, it becomes possible to steal the sessions when the user enters the insecure area. This bypassing the possibility of a Session Fixation by setting a cookie in the insecure area to be used in the secure area.
Out of privacy. Now the provider knows which site it has accessed and what information it has obtained, because it is in HTTP. If you were on HTTPS (and with HSTS Preload) only IP would be obtained, it would not even guarantee which site was accessed.