One means by which I could see an f.pypi.python.org DNS record being
left in place indefinitely is if the TUF folks are able to come up
with a scheme for offering end-to-end security for the *existing* PyPI
metadata, *and* the TUF metadata is mirrored by bandersnatch *and* the
TUF client side integrity checks are invoked by pip. In that case, the
security argument regarding the lack of TLS on the subdomains would be
rendered moot, and the backwards compatibility argument for keeping it
active would win.

It seems like you've been reading our minds (or at least our mailing list)!