alt Hacker NewsMITM where attacker needs to install their own CA certs on the victim's device -- sure, out of scope.
MITM because you used http instead of https and you don't have any other verified cryptographic signature on your data -- get tae fuck, fix it pronto.
I'd even count this as "having local access to the device", as that is what is needed to install such a cert