I honestly can't say when this started happening in SM webmail.

When you browse to an HTML based email that has external elements and click on [SHOW] (or if the user is set to "Show images from external websites") the secure session in your browser switches to "Not Secure". I can understand this. As you are retrieving elements from external sources the webmail session isn't necessarily secure because of cross-site content (GMail gets around the browser switching to a "Not Secure" session by proxying external elements).

The problem, however, is that even when you do switch to a different email that does not contain any external elements, or go to a different function, such as Calendar, or Contacts, your session is still showing as "Not Secure". A manual refresh of the webmail while you are on an email that does not contain external elements will result in the browser going back to showing it is secure, but this isn't done automatically via redirect or forced refresh. This leads to the webmail user believing that their entire session in webmail is not secure after viewing just one email with external elements.

I'm pretty certain this isn't Working As Intended nor has it always been like this.