All -
I noticed this in 2.1, and double-checked, and I believe this is an issue in 2.0 as well. I will be testing a PR for 2.1 for some SSL items over the next few weeks.
In loadTheme(), there is some logic that deals with alternate URLs. These can include anything from detected https/http differences, to using an IP address to load the board, to using alias URLs.
When a valid 'alternate' is detected, it updates all of the board URLs in $modSettings in memory prior to loading the theme. It does not update custom_avatar_url.
I believe that there will be instances, for example, when somebody invokes a page via http on an https forum or vice-versa, where this may cause avatar issues. This code is ~L1579:
// And just a few mod settings :).
$modSettings['smileys_url'] = strtr($modSettings['smileys_url'], array($oldurl => $boardurl));
$modSettings['avatar_url'] = strtr($modSettings['avatar_url'], array($oldurl => $boardurl));
This was fixed in 2.1.