All these "you"s are the person sending the payments request, are they not?
The use of x.509 in the payment protocol is for non-repudiation (which many secure communications channels don't provide, including SSL).
The repudiation issue highlights my concerns, not because websites can send unsolicited payment requests as you allude to, but because the requester is in control of what and how it is sent, not just the circumstances under which they send. You addressed this with an unqualified assertion that:
with one [a secure communications channel] your usage of the payment protocol is secure from privacy or theft attacks even if the x.509 certs aren't secure.
The qualitative security of this secure communications channel is not established my mere virtue of your description of it being suggestively absolute. This is just not a way to establish confidence that such statements are correct.