I never used DragonflyBSD, but the lack of https for image downloads and lack of a GPG signature file seems like a huge concern. Even more concerning is if this page is correct it looks like they may also default to http for their repos.
All of these are easily fixable issues, getting a certificate from Let’s Encrypt or some other CA if they have the budget for it, creating a detached signature for their installer images before uploading it to their server(s). I don’t know any DragonflyBSD devs, so I would say reach out on their mailing list or open a bug in their issue tracker about these.
The plus side is it looks like their ports tree is hosted on GitHub so it’s probably safe to say those are fetched in a secure way.