That is correct. However it's trivial for a MiTM attacker to perform an SSL stripping attacks when the victim is communicating with sites that support plain HTTP.
Hmm, if you can control the plaintext network isn't there an NTP attack to reverse time and use old compromisable certificates or move it forward past hsts max age?