I know this has been asked before, but trying to make this work, local Plex clients all show secure, which suggests that Plex is setup correctly. All remote Infuse clients are also showing as secure. Local infuse clients all show insecure. Anything else I can look at?
This post may explain what you’re seeing.
I believe my scenario is a bit different. The certificate is not self-signed it’s generated through Cloudflare and has a valid CA.
The question is how are you connecting to plex in your local network if your using the local IP address of plex then you would need a certificate for that SAN also. Let me explain. When requesting a certificate it can have one SAN or several. So if you have a server, let’s say working on a public network and its domain name is video.example.com and want secure connections to this server it’s enough to generate a certificate for this SAN, where SAN is DNS = video.example.com. You may however want to also connect to the server using its public IP which is for example 10.10.10.10. In order to have secure connection to this IP you would also need to add this SAN as IP = 10.10.10.10 so that whenever you connect to the server using its DNS name or IP address both of them would be trusted as they would be contained in the certificate. But, in your local network, you might be connecting to the server using its internal IP… and that would be a third SAN that would need to appear in the certificate for the connection to be treated as trusted. It’s important to check how your connection configuration to this plex server is configured when you’re on your internal network. If you’re using Plexes internal IP it will never be trusted unless your certificate contains Plexes internal IP’s as SAN. Another thing that comes to my mind, I’m not aware that infuse falls back from https to http on Plex when https cert isn’t trusted by iOS. When You explicitly set https it should not fall back to http even if the certificate is invalid. It will not connect if the certificate is not trusted but it should not fall back to non secure connection. That was the case for Emby at least. Maybe Plex has other connection properties in infuse which I’m not aware of. I can’t test that. If you want a secure connection to your Plex in your internal network, request a certificate for both, public and private IP’s as well as the DNS name of your server. There is a good chance it will work. I connect to Emby server using my public dns name of the server within my home network as well as outside of it and all my connections are secure and configured to the server public DNS name. If I wanted to connect to my Emby server using its internal IP I would have to switch to HTTP because I can’t cheaply obtain a certificate with additional SAN entries 
the only drawback is that connecting to my server through a public network is a little slower and https takes its toll on data transfer as well (depending on the servers hardware of course), but it’s fast enough for me. Besides, at home you don’t need to use http, there’s no one sniffing your traffic on your home network 