① If it’s on the same domain, it would necessitate weakening the HSTS policy, removing includeSubDomains and preload.

② If it’s on a separate domain, you’re actively training people to do dangerous things and get phished.

③ Pretty much the only way this will ever be used is if you push people to it and ensure that search engines choose it rather than the secure version. (Implicit in this is a significant SEO hassle.) Thus you’re back exactly where you started.