The fact that it is "encrypted by default" would not remove the need for certificates. The encritation and the certificate play a completely different role.
What’s more, HTTP/2 has H2C (http2 without TLS), which is not encrypted by default, but this is not supported by browsers.
The encritation is only intended to protect the data trafficked, that’s not all. Just having the data transferred in an encrypted way is not enough, since there is no certainty that it is communicating with the correct website.
The certificate tries to fix this problem. Your device has a list of public trusted authorities keys (the "Certificates Authorities" or "CA"), then your computer trusts these entities.
When you visit a website (site.com) whether the certificate has been issued by one of those authorities (and whether the certificate is listed in the CT-Log), then if the certificate is valid (and was issued by a trusting CA) it is because you are accessing the correct website. That is, by accessing site.com will be sure that it is the site.com who will receive the information.
A malicious agent, as a rule, will not be able to forge a certificate and impersonate site.com. An CA will request evidence to confirm the ownership of the site.com and it will be unable to do so. If you do, the certificate will also appear on the CT-Log and it will be noticeable that something went wrong. If a CA is corrupt it will likely be removed in the future, as it has in the past with Symantec, Wosign, Diginotar...
The certificate does not confirm whether the intentions of the site are good or bad. A loja.com with certificate can also steal your credit card details. The difference is that the data was sent in a secure manner and was sure that they were intended for loja.com, wasn’t someone posing as loja.com, what could occur without certificate.
Then the certificates will still be needed, maybe even more, since you will need them to use HTTP/2.
Related: What are the differences between HTTP 2 and HTTP 1.1?
– Woss