Specifically .dev has HSTS pre-loaded everywhere. But that's not the same thing as HTTPS enforced. There are protocols built on HTTP which can't do TLS, those also don't obey HSTS (it would be pointless) and so they work fine on .dev as do HTTP services for non-humans who also needn't obey HSTS and presumably already understand the consequences.