Google's John Mueller confirmed that from an SEO point of view, linking to an HTTP URL, instead of an HTTPS URL is fine. Google won't penalize or downgrade your site if you link externally to a non-secure page.
Of course, from a user point of view link to the HTTPS version if possible and make sure your site and embeds are secure. But linking to sites that are not on HTTPS or just linking to the HTTP version and that site redirecting you to the HTTPS version is fine.
Here is John Mueller's tweet:
No, that's fine from an SEO point of view. From a security POV linking directly to the HTTPS version when it exists is better, but sometimes HSTS helps. For embedding (images, iframes), you need to use HTTPS.
— 🍌 John 🍌 (@JohnMu) February 24, 2020
Back in 2015, Google even said it is not worth going back through all your external links and changing them from http to https.
Forum discussion at Twitter.
