A direct answer to this would eventually become outdated if more top-level domains start enforcing HTTPS using HTTP Strict Transport Security (HSTS, RFC 6797). Technically this is an HSTS policy of a TLD submitted to the preloading list. It started with Google's new TLDs,
The HSTS preload list can contain individual domains or subdomains and
even top-level domains (TLDs), which are added through the HSTS
website. The TLD is the last part of the domain name, e.g., .com,
.net, or .org. Google operates 45 TLDs, including .google, .how, and
.soy. In 2015 we created the first secure TLD when we added .google to
the HSTS preload list, and we are now rolling out HSTS for a larger
number of our TLDs, starting with .foo and .dev.
and there has even been preliminary thoughts on the possibility of protecting the entire .gov in the future:
Zooming out even further: it’s technically possible to preload HSTS
for an entire top-level domain (e.g. “.gov”), as Google first did with
.google. As a relatively small, centrally managed top-level domain,
perhaps someday .gov can get there.
To know the current situation, one must consult the Chromium HSTS Preloaded list.
The preloaded list is also available on Chromium's GitHub mirror; especially the raw version is best for curl or wget. The list is a non-standard JSON with comment lines. It is possible to analyse it with jq after removing the comments with e.g. sed.
Here, the jq gives all domain names on the preloaded list and the grep reduces it into TLDs:
cat transport_security_state_static.json \
| sed 's/^\s*\/\/.*//' \
| sed '/^$/d' \
| jq -r '.entries[]|select(.include_subdomains==true)|"\(.name)"' \
| grep -P "^\.?[a-z]*\.?$"
To search for public suffixes instead of TLDs:
cat transport_security_state_static.json \
| sed 's/^\s*\/\/.*//' \
| sed '/^$/d' \
| jq '.entries[]' \
| jq 'select((.policy=="public-suffix") and (.include_subdomains==true))' \
| jq -r '"\(.name)"'
