Sure, I got it. No one wants a MIM attack.
@help4 asked about “any consequences”. Once you implement HSTS, it will be at least a small hassle to remove it in order to config a new subdomain as the OP mentioned.
If we think about it, anyone who’s smart enough to play an MIM attack will surely have at their disposal that first visit where HSTS is not yet implemented. A “first visit” that can be made many times, as any hacker will have capabilities to keep on trying with a new virtual browser each time. Unless we are talking about preloading, which would make the small hassle a HUGE hassle.
We all (well, most of us, I believe) had bad experiences with SSL at one time or another. Free certs expiring without notice, mismatch notices coming apparently out of nowhere etc. Adding HSTS will not make it easier. Besides dealing with SSL issues per se, you’d be facing other consequences if the solution is not fast enough, such as a Google penalty for website being unavailable, and even worse, the visitor’s penalty for that same reason.
So my reasoning is this: if you have to ask about HSTS, its consequences etc, just don’t do it.