Can you propose any solution, especially for problem no. 2?
I can imagine there could be a Let’s Encrypt client built in to obtain a trusted certificate for the HTTPS on the first run, however, which domain name should it use? What if router is not accessible from the Internet? Using wired connection from your computer directly to the router gives very small attack surface even without encryption.
Issue number 1 I don’t see as any issue at all. As a priveleged user, you can reset Wi-Fi password any time, you can read it from the config files or even directly from router memory. Password visibility in the router setup allows you, on the other hand, to make use of the QR codes for quick Wi-Fi connection (they also contain cleartext password, in case you didn’t spotted that).