That’s not what HSTS does. It asks the client to remember that you want to only use TLS for that domain and refuse to use unencrypted HTTP in the future.
The IAC tool could just as easily recognize the change as a part of the current state instead of the desired, and revert the drift. Whereas stored state would likely miss the drift without another process to compare and update the stored state against the actual.
Could be a performance thing. If a database is stressed and you are unwilling/unable to scale or optimize it, you can use a captcha to cut automated traffic.
It's not because I think it's exploitable in any way (it's not - public keys are public), but because it's a neat feature I found interesting that many people don't know about. It also has potential use cases, like automatically keeping a machine's authorized_keys up to date with members in a team, or skipping having to ask for someone's public key when sharing access.