Comment by jsheard

Every browser requires H2 connections to be encrypted so I don't think a MITM downgrading to it would reveal anything. Downgrading to H1 might do since encryption is optional there, but the proper way to prevent that is to submit your domains to the HSTS preload list so that browsers will always require encryption, regardless of protocol, no exceptions.