The current spec only adds [Exposed] to all service-worker-specific interfaces except ServiceWorkerGlobalScope. Other specs also generally prefers not to give SecureContext, per webref:

• Specs with SecureContext: push-api
• Specs without SecureContext: content-index, background-sync, background-fetch, payment-handle, cookie-store, periodic-background-sync

Gecko and Blink do not add [SecureContext] for those interfaces but WebKit does. (For Gecko, devtools allows non-secure context to temporarily run service worker so SecureContext doesn't make a lot of sense)

Given there's no spec other than push-api that adds SecureContext I filed w3c/push-api#397, but then found there's no explicit agreement nor guideline, and so the issue here.