I would also suggest to change the SecurityProtocol to Tls12 only, because HIBP only accepts >= TLS 1.2.
According to the docs, the default behavior (even don't set it) should be ok:
When custom validation is not used, the certificate name is compared with the host name used to create the request. For example, if Create(String) was passed a parameter of "https://www.contoso.com/default.html", the default behavior is for the client to check the certificate against www.contoso.com.
You accept all server certificates without validation with this line: https://github.com/andrew-schofield/keepass2-haveibeenpwned/blob/56fab5bc88b7a623e8ae5f54e68a15bcc4b15130/HaveIBeenPwned/HaveIBeenPwnedExt.cs#L95
I would also suggest to change the SecurityProtocol to Tls12 only, because HIBP only accepts >= TLS 1.2.
According to the docs, the default behavior (even don't set it) should be ok:
Docs reference
If I should contribute a PR, feel free to tell me that 😉