Just because you can separately verify that something is secure later does not mean that it's secure at the time of the download. Browsers show that a website is securely encrypted once they've been able to verify it. It's entirely proper for them to show that a download is insecure before they've been able to verify it.

If you get a phone call from an unknown caller, do you get mad at your phone for listing that as an unknown caller just because you could theoretically add that number to your contact list later? Or to talk directly about PGP, do you get mad when you see an untrusted/unknown key warning because theoretically you could add that key to your keyring later after verifying it yourself? Of course not.

The browser is telling you that at that moment, the code/download you are getting is insecure. If you take that code/download out of the browser and verify it separately, then great! But that doesn't mean the browser was wrong. If anything, insecure connection prompts should be a welcome reminder to you that you need to externally validate the data you're receiving.

> That's the only difference.

The difference is that one of them happens inside the browser, and one of them doesn't.