To me this seems to be Much Ado About Nothing (with apologies to WS). In my tests, with either "TLS" and "SSL" for "Use secure connection", Thunderbird establishes a secure connection *before* attempting authentication, thus obviating all of the four scenarios. There's only a risk if the user chooses "No" or "TLS, if available" for "Use secure connection", which are valid user choices (whether we approve or disapprove).
To me this seems to be Much Ado About Nothing (with apologies to WS). In my tests, with either "TLS" and "SSL" for "Use secure connection", Thunderbird establishes a secure connection *before* attempting authentication, thus obviating all of the four scenarios. There's only a risk if the user chooses "No" or "TLS, if available" for "Use secure connection", which are valid user choices (whether we approve or disapprove).