Case scenario: you have certain pages on your site that force SSL but not all. You notice that the culprits (i.e. pesky buggers that are still being served using
http://) are all coming from the uploads folder and are in the media library.
Cheers to the anonymous Ludovic who came up with this seemingly obvious solution to a problem Google was stubbornly refusing to help me with.