On the other hand: how would one be notified on a pending update, when automatic update is not enabled?
We’ve seen an update for the security certificates in the past, being quite essential:
(The current Amazon root embedded in the Kickstarter gateway is valid until 31 December 2037. The ISRG root until 4 June 2035. And the DST root is due first, on 30 September 2021. I’ve no idea if all these are used, but that’s irrelevant if the certificate chain for the server changes to use a different root.)