Perhaps the answer is to reuse our old friend - the padlock.
If a safe URL (safe://) includes non-safe URLs, the padlock is open (insecure). If all data is included via safe URLs, them the padlock closes (secure). I suppose you could deem https URLs as something in the middle too.
Edit: Ofc, you may not even want to request from http/https URLs, to prevent data leakage, but that can be worked around with a good UI (or even incognito mode?).