I think I found the topic you're paraphrasing which explains the limitations of HSTS:

"HSTS is designed to FORCE the use of https, this is a good thing in most cases. However, HSTS is problematic in that it incorrectly assumes that all users trust the default list of CAs and makes the adding of exceptions impossible even by advanced users.

torprojec.org [sic] is just an example, this effects every HSTS site. You can reproduce this problem yourself in version 17 or later if you temporary disable "DigiCert High Assurance EV Root CA" in your certificate store and then visit torproject.org. You will notice the ability to add exceptions has been removed and that the cert_override.txt file found in the user's profile is also ignored."

https://support.mozilla.org/en-US/questions/942924

HPKP limits trust from all CAs to just a few. Its an improvement over the status quo but unless keys are managed vigilantly, sites risk breaking connections of all their users. So many sites especially major ones decide against taking this risk.

https://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html

Without HSTS a site that has non-encrypted resources/subdomains or pages is vulnerable to sslstrip.

https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly

Well, if you explicitly type/paste "https://" in the url, sslstrip and
similar do not apply. But very few people do that, most follow some
link, or type just "www.torproject.org" instead of
"https://www.torproject.org".

I see, so if a link to a file download with https:// is pasted into a browser, we can be sure that ssl will be used (at least without the browser showing a warning about an attempted sslstrip attack). The issue is only, that the ssl certificate button / padlock is invisible. That's something we can document.

• https://www.whonix.org/wiki/Secure_Downloads
• https://forums.whonix.org/t/long-wiki-edits-thread/3477/221