Why are you saying lies?

I just installed fresh chromium and firefox in a clean Linux VM and typed "google.com" (and a few others) in the URL bar with tcpdump running and they both initiated with TCP port 80. Can confirm that the https-only setting is disabled for both when looking in settings/preferences.

> HTTP is only used as a fallback.

Separately, using HTTP as fallback makes the whole thing mostly pointless security-wise. If an attacker can MitM port 80 it is very likely that they can also interfere with 443 to silently force a protocol downgrade. STRIPTLS.

SMTP STARTTLS has the same problem. ISPs and authorities have been known to harvest email traffic by the same technique.

We don't really need HSTS to address most scenarios. Just have browser not attempt http:// for addresses in the address bar unless explicitly specified. Have it try https:// without falling back to http://.

HTTPS-by-default with fallback is not a good default setting since it's vulnerable to the above attack. Strict HTTPS-only is not a good default setting since it prevents legitimate http traffic on internal networks. HSTS adds problematic edge-cases. It's hard to fathom that none of the major browser vendors seem to have figured out the obvious solution to just stop inferring http:// unless asked for.

Then why did mine do http first? Use the F12 screen to watch your browser resolve a domain that you type into the address bar.