From what I have read about Tor, there are potential attacks even when you have HTTPS encryption covering your traffic. Without HTTPS, there are definitely potential attacks from malicious nodes, is that correct?
Without https, if you're connecting to the clearnet, the exit node can see which messages you send and receive. Not only can they surveil you like that, but they can also act as a man-in-the-middle, and alter the information you send and receive. This is why it's insecure to download any file with no standard encryption through Tor.
With https, the exit node cannot perform any of these attacks. It could still see which website is accessed, though.
As the exit node is the node that removes the third (and last) layer of encryption, only HTTPS would have you covered all the way from sender to receiver.
Correct. When visiting
https://bitcointalk.org from Tor Browser, it's only https which secures the information that is being transmitted.
But there could still be correlation attacks despite data being encrypted if someone operates entry and exit nodes and screens patterns, volume, metadata etc. I understand that resources are the bottleneck here for most actors, but resources are very likely not a problem for intelligence agencies.
Not so much for screen patterns, volume and other such metadata, as Tor Browser is built to leave as little fingerprints as possible, but correlating the timing of requests and responses can sometimes leak information about user activity, that is correct.
I have never come to fully understand how probable it is that an organization or any kind of agency is indeed willing to invest tremendous resources in order to be able to draw a picture of what is going on in the Tor network. Has anyone ever read some stuff about that from a reliable source or saw calculations like they can be done for attacks on the bitcoin network?
There have been a bunch of surveys:
https://duckduckgo.com/?q=attacks+on+tor+network%2C+de-anonymization&t=ffab&ia=web. It's not impossible to attack it. It has been successfully attacked in the past.
