Say even more clearly that you can't trust the client to send their most preferred shares

[ekr]

This vector MAY be empty if the client is requesting a HelloRetryRequest. Each KeyShareEntry value MUST correspond to a group offered in the "supported_groups" extension and MUST appear in the same order. However, the values MAY be a non-contiguous subset of the "supported_groups" extension and MAY omit the most preferred groups. Such a situation could arise if the most preferred groups are new and unlikely to be supported in enough places to make pregenerating key shares for them efficient.

But see: https://datatracker.ietf.org/doc/draft-davidben-tls-key-share-prediction/

[ekr]

Fixed by #1331.