I did. And to be double sure, I just removed the existing sitemap, and regenerated again. Same result.
It appears that wordpress is doing a replace of all http:// with https:// in config options when force_ssl_admin is set, so that things work when logged into the wp-admin site (and don't generate a bunch of errors about some content being insecure).
might it be better to just regrab that value from wp-config.php when generating the sitemap, to avoid this? I'm not sure how Google XML Sitemap does it, but it does not have the same issue. =/
Thankfully, the sitemap is visible to google, so it's really only an issue if I try to look at it from a web browser (or something that actually uses the xsl file).