HSTS can be enabled for whole domain. See here: https://hstspreload.org/#tld

General information about HSTS: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

But you are right that it is a browser thing.

It is only enforced by the browser. So curl and similar stuff still works. But on a sidenote: Why shouldn't it. It is just a domain, whatever is running on the resolving IP address is up to the server administrator.

I don't think there's anything stopping you from using plain http when _not_ using a browser, such as through a server-side http client or a random python script you could whip up in 2 minutes.

From what I can tell, the only enforcement is this gentleman's agreement between the browsers.