Some good thoughts, thanks.
The vulnerability of HTTP involves stealing a user's session, so even if editing mode is off, the 'hacker' can still turn editing mode on easily once the session is intercepted.
HTTPS for admin only or limiting HTTPS by role is an good idea, as the HTTPS overhead will come from only a few users (say admins and teachers.) But even if only a ordinary student's account is compromised, his or her personal information would be exposed. Academic integrity can also be compromised if one student hacks into another student's account and changes their submissions or copies their submissions.