This is not so much a bug report as a question.
Why is HSTS not deployed on monzo.me? It’s a system that pretty much has to be completely secure considering what it handles. I’d say it’s a big target.
Without HSTS the site is vulnerable to sslstrip attacks and similar. Some kind of certificate pinning is really needed.
HSTS is of course a trust-on-first-connection system, so you could even go further and include the certificate directly in major browsers, but HSTS is a must at minimum.