Isn’t that what’s happening? The browser shows a big warning with context and then the human makes a decision to click the “do this it’s fine” button.
The exception is cases where the site operator has opted in to HSTS or similar to indicate their decision to rather disable access than allow insecure access.
The issue is that there shouldn't be a case where it's impossible to override it, because then the problem is unfixable when the misconfiguration occurs in that case.
It's also overloading what HSTS is supposed to be for. Normally if you go to a site via HTTP, it loads without comment, which is less secure than loading a site via HTTPS that has an expired or self-signed certificate. HSTS it to say, don't do that.
Allowing the site to tell the user agent to do something according to the wishes of the site owner in a way that can't be overridden by the user is not something that user agents should ever do.
Literally the entire point of HSTS is to allow websites to communicate to browsers that they can only be loaded in a valid TLS session. It's a defense against TLS-stripping. If you turn that on for your blog, that's on you. Serious question: what could they be "overloading" about HSTS here? What other purpose do you think it had?
