Then only allow self-signed certificates for literal IPs or those on .local (and other private/reserved TLDs).
Right now, .local is completely impossible to encrypt, as well as impossible to use “secure origin” APIs on, which is a shame.
What? .local is the dedicated TLD for Zeroconf/Bonjour/mDNS! How is that deprecated?
And you’re just reconfirming my point: All of these recommendations are great for publicly hosted sites or corporate environments, but largely impracticable for home users that don’t know how to, or don’t want to, have a second job as sysadmins.
Home users also don't have IMAP servers they run themselves. They are in public email service.
Cool, you don't but obviously you don't deal with a ton of normal users. They are not running NASes, they will just toss Google some cash for bigger GMail box.
.local also hasn't been best practice since 2005. Current recommendation, because of Certificates is to use internal only subdomain of domain you have control over.