Device motion and orientation API may expose sensitive information. Most of the web platform APIs that expose powerful features, are only accessible from secure context. It might be a good idea to restrict this API only to secure contexts.

I quickly checked implementation and run some tests, all browsers (safari, mozilla, edge, ie, chrome) expose device motion and orientation to both, secure and non-secure contexts.

As per [SECURE-CONTEXTS], sensor access considered to be powerful web platform feature, therefore, should exposed only to secure contexts.