My previous response to similar concerns is relevant. To elaborate:
If nothing prevents bad behavior from an ISP, and it has happened before, then you should assume it’s happening. This extends to injecting JavaScript apps into insecure connections.
- Marriott hotels inject scripts via Revenue eXtraction Gateway hardware (2012)
- Infrastructure likely belonging to the Great Firewall of China tampers with Baidu analytics to DDoS GitHub (2015)
- Comcast continues to inject its own code into websites you visit (2017)
- How is my ISP able to inject into this webpage? (2019)
- Optimum ISP is MITMing its customers (2023)
Unless you trust every hop from your browser to the destination server (and back), assume anything unencrypted can and will be inspected (and potentially tampered with). Encrypt everything you can.