(4) is solved by HSTS preloading. The request is upgraded to https before any traffic hits the network, even if you've never visited the domain before. The list of HSTS preloaded domains and TLDs is hard-coded into your browser. For more info: https://hstspreload.org/
Clearly it's not solved by preloading, since an old list invalidates the preload, and not every site supports HSTS, and I imagine they would have individual expire times (but perhaps not as a preload)
Also, does that site even work?
Status: google.com is not preloaded.
Status: microsoft.com is not preloaded.
Status: duckduckgo.com is not preloaded.
Status: news.ycombinator.com is not preloaded.
Status: aws.amazon.com is not preloaded.
Status: bankofamerica.com is not preloaded.
Status: capitalone.com is not preloaded.
Well right off the bat, I'm screwed... I hope nobody else on the internet is visiting these sites.
