There was a mild uproar recently about Firefox adding a feature that could allow mozilla to push out extension blacklists or something, or disable extensions entirely for a specific site (for "security" of course). I'd read the details but all I have is a reddit link and all the libreddit instances are ratelimited rn: r/MozillaInAction/comments/14rt5jx/firefox_115_can_silently_remotely_disable_my/
so I just saw an HSTS popup and was reminded: there's already a sorta analagous feature that restrict's the user's ability to make their own decisions on privacy/security matters: HSTS. It prevents users from loading a page without working HTTPS even if they want to take that risk, and it is controlled by the site owner entirely, the user has no say.
Not allowing users to let themselves get MITM'd is good, actually
I think we should always have a way to bypass that kind of thing though. Use a secret keyboard command and then have to type "Yes I would very much like to get hacked and have all my data stolen thank you" verbatim maybe. I don't think we should ever be flatly saying "no" to the user If they know what they're doing and want to take the risk.