Unfortunately it seems like the plan is to support "opportunistic encryption", aka self-signed certificates, which can be trivially generated for MITM attacks.
I doubt self-signed certificates will stop proxy servers, broken security products, and Verizon and AT&T doing MITM to inject UIDH tracking cookies.
The idea is to allow any certificate, but utilise DNSSEC to verify that it is legitimate. If the necessary records are missing, or DNSSEC isn't set up, self-signed certs would not be accepted - as per now.
Technically they can do it, but if they will start doing it just to support HTTP/2 then at least they'll build their hacks with the knowledge of the HTTP/2 protocol.
Self-signed certificates sound better than just plain text for compatibility reasons.
The user agent shouldn't give any indication to the end user that the connection is secure though.
I doubt self-signed certificates will stop proxy servers, broken security products, and Verizon and AT&T doing MITM to inject UIDH tracking cookies.