How does MTA-STS prevent downgrade attacks?

An attacker can block STARTTLS and force plaintext but MTA STS blocks delivery if TLS is unavailable. The sending server obeys the published policy defined in RFC 8461 and refuses insecure fallback.

It is like refusing to sail into a harbor unless the lighthouse signals confirm a safe route.