As a security improvement, I suggest that curl implement random record padding.
Record padding is primarily applicable to server as a way to mitigate vulnerabilities such as CRIME and BREACH that involve compression and reflection. But, who knows - there may be some future vulnerability that random record padding will address on the client - it couldn't hurt :)
Wouldn't middle boxes already be a problem for TLS 1.3 then?
There is middlebox compatibility in OpenSSL (and I assume others).
Perhaps a flag/configuration option to optionally enable this would be nice, then down the line if all goes well, it could be enabled by default?
I don't see a reason to do it by default. We may end up lessening security and compatibility for no good reason. It might allow for a vulnerability instead of preventing one. I really don't know what will happen. As an option I expect it would very obscure, this is the first I'm hearing of it. You could use CURLOPT_SSL_CTX_FUNCTION if you want it.
Padding is in general a thing people invent when designing protocols and then nobody actually uses when running them since they're a waste of bandwidth. I suspect that's why we've never seen a demand for padding for TLS before.