It would be good for Cloudflare to offer ease of MTA-STS configuration, this feature doesn’t really seem to be offered widely.
It would be very simple for Cloudflare to implement, as MTA-STS just requires DNS and a single file hosting with SSL. Both of which are offered by Cloudflare.
Cloudflare R2 should be able to just host and serve that single file.
It would seem to an outsider like me that TLSA on isaac,linda and amir.mx.cloudflare.net would be trivial, and have more benefit than MTA-STS. And if Cloudflare don’t do it, nobody else can either.
On the TLSA records for Universal and ACM certs, again only Cloudflare can do this, and if they did, I’m sure that user-agents would suddenly have a reason to start supporting it. I’m not sure if there is a reason the browsers do not currently support TLSA validation.