I have a form that is on a secure page (HTTPS) and will be published on another page.
The form action does not specify the protocol, but I assume that the same protocol is used as on the page from which it originated. See below:
I think this works because the relative URL uses the same protocol as the page where it resides. Therefore, all traffic is encrypted.
However, I was recently contacted by someone who told me that the form is insecure and the information is being transmitted in clear text. I accept You've just checked network traffic with your browser development tools (they sent me a screenshot of their data on the Google Console Network tab).
Better safe than sorry!