I don’t know if Automatic HTTPS Rewrites adds any latency. I assume it has to, as parsing the body is never going to be free, but I’d like to see actual data.
Personally, I think that two Content Security Policies will give you the same benefit in modern browsers, and eventually get you to a place without any mixed content. HSTS and Always Use HTTPS only work on first party URLs, so any accidental third party HTTP will not be changed by those two settings.
Content-Security-Policy: upgrade-insecure-requests; default-src https: Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint
The upgrade policy works even where Automatic HTTPS Rewrites fails. Any clients that support CSP (most recent versions, except IE) will get a secure experience, and the Report Only policy will give you telemetry that enables you to fix the issues as they are located. You should eventually get to a place where the report policy is not sending any data.