Auth isn't that resource-intensive if you use a JWT or similar.  No HTTP server is asking for a complete OAuth flow on every request.

I don't know enough about Tor and I2P to know whether HTTP servers would make that easier.

I do know HTTP is a heck of a lot easier on client developers.  I am planning to support HTTP servers for some Nostr functionality in the future.  Maybe we can make a dev kit bundle that makes it easy for relay operators to add an HTTP surface to their relays, so it can stay decentralized.