I'm aware that APT does not use HTTP/2 but it would be able to use it with HTTPS.
With automatic security updates, the risk of an attacker finding out what packages you have is less valuable considering you are installing the latest patches.
It would be more interesting if that doesn't happen, in which an attacker can learn what you have installed and wait until exploits appear. Automatic updates would negate this attack model.
edit: As I've demonstrated in a sibling comment; even 5 packages is already out of scope as solving which packages they are is a task of millenia. If you use 4 it could possibly be done by throwing a supercomputer at it for a few months.
With automatic security updates, the risk of an attacker finding out what packages you have is less valuable considering you are installing the latest patches.
It would be more interesting if that doesn't happen, in which an attacker can learn what you have installed and wait until exploits appear. Automatic updates would negate this attack model.
edit: As I've demonstrated in a sibling comment; even 5 packages is already out of scope as solving which packages they are is a task of millenia. If you use 4 it could possibly be done by throwing a supercomputer at it for a few months.