My question is: should user deal with this kind of stuff themselves? If some ciphers are blacklisted in HTTP2 shouldn't this be handled somewhere in Twisted?
As others have already said, this should work out of the box, and I'm not sure why it isn't for you, especially that you've gone to the extra trouble of building a Docker image and retrieving recent enough versions of every relevant layer of the stack.
However, to answer this question generally: this should absolutely be handled by Twisted. In fact, even if we're doing the right thing already except in your one configuration, we should go a step beyond and provide tooling and logging to clearly explain to system operators why they won't get HTTP/2 if their dependencies are out of date.
-glyph