why don't you look at the secure() & to() functions and see if there is any significant things being done or secure is just adding an s to http://..

It doesn't; secure() even calls to(). But why going through the trouble? It looks all pretty clear and maybe it's just because Laravel doesn't want to force you to work in a certain way.

I guess I'm overthinking stuff lol

There is always the forceShema() function on the URL generator to force http or https to be generated throughout your site. https://github.com/laravel/framework/blob/4.2/src/Illuminate/Routing/UrlGenerator.php#L204

The URL in app.php config file is only used by Artisan to generate URL for the application, its completely ignored when your application is accessed from the web.

Personally I generate URLs either by controller actions URL::action() or named routes URL::route(), that way when I want/need to change the URL structure of a route I don't need to go through my application change change all the URL::to() etc. They're generated dynamically and only set in one place which makes them easily maintainable.