The html spec also defines that audio can be set to autoplay and the JS spec allows websites to freely open popups. Yet browsers are able to ignore that in the interest of the user - because they are (supposed to be) user agents not website agents that have to blindly follow what the website says. Browsers are free to not implement user-hostile specs or only implement parts of them and they commonly chose to do so.
Ultimately, protocol specs have no purview over user interaction and can at best recommend the expected behavior. There is nothing wrong with the browser telling the user that this website is expected to be accessed trough TLS with a valid certificate and isn't and to redirect HTTP requests to HTTPS but the spec is no excuse for the browser not letting the user overwrite that policy.
So no, the ire should be directed at the browser because the broser is there to make sure my interest as the user are followed not those of some website owner (or someone making decisions for them like Google for *.dev).
Neither the HTML spec or the JavaScript spec require that audio be auto played or that pop-ups be opened without restriction. HSTS is different in this respect.
I'm sure if you want to hack your browser so that it ignores that header you can, but the idea is that any server sending that header is telling you to go away if the certificate is invalid.
Ultimately, protocol specs have no purview over user interaction and can at best recommend the expected behavior. There is nothing wrong with the browser telling the user that this website is expected to be accessed trough TLS with a valid certificate and isn't and to redirect HTTP requests to HTTPS but the spec is no excuse for the browser not letting the user overwrite that policy.
So no, the ire should be directed at the browser because the broser is there to make sure my interest as the user are followed not those of some website owner (or someone making decisions for them like Google for *.dev).