Since the connection to your web site is not secured, an attacker could
includes over HTTP) to replace the Stripe script with a malicious service
of their choosing which looks the same, but steals the user's credit card
If my website sends a request to https://www.google.com, is that any less secure than me
typing that into my browser?
Yes, it is, because the address being requested may be under the control
of an attacker that has modified the contents of the page in transit, and
it will not necessarily be apparent to a user if the address has actually
been substituted for a different one.