In imap and pop3, --ssl-reqd is silently ignored if the capability command failed.
In ftp, a non-standard 230 response (preauthentication?) in the greeter message forces curl to continue unencrypted, even if TLS has been required.
Use a parameterizable test server to fail capability command for imap (CAPABILITY reply: A001 BAD Not implemented) and pop3 (CAPA reply: -ERR Not implemented) and to send response code 230 in FTP server greeting message.
These 3 commands are successsful, but network sniffing shows that TLS is never negotiated.
A MitM can silently deny mandatory TLS negotiation and thus sniff and/or update unencrypted transferred data.